Jump to content

Recommended Posts

malware bytes won't load in normal or safe mode - attempted multiple downloads, uninstalls/reinstalls and renames of the executables with no difference

DDS (Ver_09-12-01.01) - NTFSx86

Run by home at 14:40:40.92 on Wed 02/10/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1568 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

svchost.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Program Files\Elantech\ETDDect.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\WINDOWS\system32\igfxext.exe

C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe

C:\Program Files\OpenSSH\bin\cygrunsrv.exe

C:\Program Files\SpoonProxy\spserv.exe

C:\Program Files\SpoonProxy\proxy.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\OpenSSH\usr\sbin\sshd.exe

C:\Documents and Settings\home\My Documents\Downloads\Defogger.exe

C:\Documents and Settings\home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Windows Live Toolbar\msn_sl.exe

C:\Documents and Settings\home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\home\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://eeepc.asus.com/global

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: ADC PlugIn: {77dc0baa-3235-4ba9-8be8-aa9eb678fa02} - c:\program files\adc32.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

BHO: 1 (0x1) - No File

TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [ETDWare] c:\program files\elantech\ETDCtrl.exe

mRun: [ETDWareDetect] c:\program files\elantech\ETDDect.exe

mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe

mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe

mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [mepapirol] Rundll32.exe "c:\windows\system32\getovojo.dll",a

StartupFolder: c:\docume~1\home\startm~1\programs\startup\shortc~1.lnk - c:\documents and settings\home\proxy.bat

StartupFolder: c:\docume~1\home\startm~1\programs\startup\spoonp~1.lnk - c:\program files\spoonproxy\proxy.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe

IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240285653753

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240285575840

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: hiwumeku.dll c:\windows\system32\nutuhunu.dll c:\windows\system32\getovojo.dll

SSODL: muviwahur - {1f12919b-0b15-4ba3-8c8d-c850af005fc9} - c:\windows\system32\nutuhunu.dll

SSODL: telewutid - {79cb94fc-8e07-4c95-9422-08bd92bf0220} - c:\windows\system32\getovojo.dll

STS: kupuhivus: {1f12919b-0b15-4ba3-8c8d-c850af005fc9} - c:\windows\system32\nutuhunu.dll

STS: mujuzedij: {79cb94fc-8e07-4c95-9422-08bd92bf0220} - c:\windows\system32\getovojo.dll

LSA: Notification Packages = scecli buyenayo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\home\applic~1\mozilla\firefox\profiles\esew4pu7.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\home\application data\mozilla\firefox\profiles\esew4pu7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll

FF - plugin: c:\documents and settings\home\application data\mozilla\firefox\profiles\esew4pu7.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

FF - plugin: c:\documents and settings\home\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-2-7 163280]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-2-7 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-7 40384]

R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacom\x86\novacomd.exe [2009-7-2 30720]

R2 OpenSSHd;OpenSSH Server;c:\program files\openssh\bin\cygrunsrv.exe [2004-4-18 36864]

R2 spserv;SpoonProxy;c:\program files\spoonproxy\spserv.exe [2001-7-1 61440]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-7 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-7 40384]

S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [2008-9-11 625024]

=============== Created Last 30 ================

2010-02-09 07:34:44 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-02-09 07:34:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-02-09 07:25:56 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-02-09 07:04:54 0 ----a-w- c:\documents and settings\home\defogger_reenable

2010-02-08 19:19:43 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-02-08 19:13:16 0 d-----w- c:\docume~1\home\applic~1\Malwarebytes

2010-02-08 19:07:58 268 ---ha-w- C:\sqmdata13.sqm

2010-02-08 19:07:58 244 ---ha-w- C:\sqmnoopt13.sqm

2010-02-08 18:57:36 39424 --sh--w- c:\windows\system32\ravebavi.dll

2010-02-08 17:18:19 61440 ----a-w- c:\windows\system32\reforola.dll

2010-02-07 19:22:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-02-07 19:13:37 1530 ----a-w- C:\Your PC Protector.lnk

2010-02-07 19:13:34 0 d-----w- C:\Your PC Protector

2010-02-07 19:01:57 268 ---ha-w- C:\sqmdata12.sqm

2010-02-07 19:01:57 244 ---ha-w- C:\sqmnoopt12.sqm

2010-02-07 18:54:36 0 d-----w- c:\program files\schtml

2010-02-07 18:50:15 962560 ----a-w- c:\program files\adc32.dll

2010-02-07 18:50:06 56 ----a-w- c:\program files\wp4.dat

2010-02-07 18:50:06 4 ----a-w- c:\program files\wp3.dat

2010-02-07 18:50:06 36 ----a-w- c:\program files\skynet.dat

2010-02-07 18:49:57 0 d-----w- c:\program files\Your PC Protector

2010-01-31 17:19:42 268 ---ha-w- C:\sqmdata11.sqm

2010-01-31 17:19:42 244 ---ha-w- C:\sqmnoopt11.sqm

2010-01-30 20:37:48 268 ---ha-w- C:\sqmdata10.sqm

2010-01-30 20:37:48 244 ---ha-w- C:\sqmnoopt10.sqm

2010-01-30 20:21:32 0 d--h--w- C:\$AVG

2010-01-30 20:20:46 0 d-----w- c:\program files\AVG

2010-01-30 20:20:44 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-01-30 20:01:52 0 d-----w- c:\docume~1\home\applic~1\QuickScan

2010-01-30 17:25:47 268 ---ha-w- C:\sqmdata09.sqm

2010-01-30 17:25:47 244 ---ha-w- C:\sqmnoopt09.sqm

2010-01-30 08:14:22 268 ---ha-w- C:\sqmdata08.sqm

2010-01-30 08:14:22 244 ---ha-w- C:\sqmnoopt08.sqm

2010-01-30 00:26:41 268 ---ha-w- C:\sqmdata07.sqm

2010-01-30 00:26:41 244 ---ha-w- C:\sqmnoopt07.sqm

2010-01-29 23:46:08 268 ---ha-w- C:\sqmdata06.sqm

2010-01-29 23:46:08 244 ---ha-w- C:\sqmnoopt06.sqm

2010-01-29 22:50:58 268 ---ha-w- C:\sqmdata05.sqm

2010-01-29 22:50:58 244 ---ha-w- C:\sqmnoopt05.sqm

2010-01-29 18:37:02 268 ---ha-w- C:\sqmdata04.sqm

2010-01-29 18:37:02 244 ---ha-w- C:\sqmnoopt04.sqm

2010-01-18 17:19:32 268 ---ha-w- C:\sqmdata03.sqm

2010-01-18 17:19:32 244 ---ha-w- C:\sqmnoopt03.sqm

2010-01-18 00:34:38 244 ---ha-w- C:\sqmnoopt02.sqm

2010-01-18 00:34:38 232 ---ha-w- C:\sqmdata02.sqm

==================== Find3M ====================

2010-02-07 18:50:11 9 ----a-w- c:\program files\nuar.old

2010-01-04 04:55:20 11 ----a-w- c:\documents and settings\home\restart.bat

2010-01-04 04:48:45 77 ----a-w- c:\documents and settings\home\proxy.bat

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-19 20:26:34 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2008-05-07 23:34:00 15523560 ----a-w- c:\program files\Install AiGuruU1 Skype Phone.exe

1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\buyenayo.dll

1601-01-01 00:03:28 93696 --sha-w- c:\windows\system32\getovojo.dll

1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\hiwumeku.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\hukubuhu.dll

1601-01-01 00:03:28 93696 --sha-w- c:\windows\system32\kirasahi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\leheziti.dll

1601-01-01 00:03:28 53760 --sha-w- c:\windows\system32\nadejafi.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\nadusajo.dll

1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\vujigami.dll

1601-01-01 00:03:52 53760 --sha-w- c:\windows\system32\vulademu.dll

============= FINISH: 14:41:20.68 ===============

attach.zip.zip

Link to post
Share on other sites

  • Staff

Hi,

Please try this version of malwarebytes: Click the link here

Save it on your desktop. You'll see it will have a random name, and will look similar like this: mbamrandom.gif

Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.

In case the installer (random named file) won't run either, rename it to firefox.exe and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.

In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

In case that won't work either, also rename that file to firefox.exe instead.

Then perform a scan and let it remove what it found. Reboot afterwards (important).

After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

Link to post
Share on other sites

Thank you very much for the help. I let the executable you provided execute and remove the items it found. I then let it reboot and ran Hijackthis

2 Mbam logs were generated, I'll post them in order of generation separated by =======================

HiJackThis log &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Everything is running very smooth now. For transparency this netbook was acting as a proxy server and I let 1 not savvy enough user have access; my suspicion is data from a shady site passed through. I was running Avira at the time of the virus but now have Avast (free) installed. Kaspersky is on my main pc and I'd welcome any advice you might have on most appropriate (efficient) yet effective security for a netbook. Thanks for your help!!!

Malwarebytes' Anti-Malware 1.44

Database version: 3730

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/12/2010 11:22:41 AM

mbam-log-2010-02-12 (11-22-31).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 148884

Time elapsed: 56 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 5

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 5

Files Infected: 76

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\depopuho.dll (Trojan.Vundo.H) -> No action taken.

c:\WINDOWS\system32\yozuyosa.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{05c75b6f-2dd5-4a50-8e46-da50ff129f35} (Trojan.Vundo.H) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD (Trojan.Agent) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mepapirol (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{05c75b6f-2dd5-4a50-8e46-da50ff129f35} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\depomimeh (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yozuyosa.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yozuyosa.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Documents and Settings\home\Start Menu\Programs\Your PC Protector (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\Your PC Protector (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images (Rogue.YourPCProtector) -> No action taken.

C:\Your PC Protector (Rogue.PcProtector) -> No action taken.

Files Infected:

C:\WINDOWS\system32\depopuho.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\dorizala.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\gidahumu.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\hukubuhu.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\kirasahi.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\leheziti.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\mikolobe.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\nadejafi.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\nadusajo.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\negokofi.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\rahobofo.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\ravebavi.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\vujigami.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\yiriyidi.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\yozuyosa.dll (Trojan.Vundo.H) -> No action taken.

C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\PGUNUWIW\default[1].htm (Trojan.Vundo.H) -> No action taken.

C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\PGUNUWIW\BHOQS2lloHLBnBRDWZrZET0rHr2JTFeCHNA7AVSoeBDlw1fNRByx_062EtP5j691QTn3QUoLnkJ

NdQnU94Ifp_V4QU0FoK3fs8_bUcH9ZN2aL4UKoOidg_jhHzgEr4kd-RKyJ2NwwEk6bROkhGBursypRD5MTRA[1].htm (Trojan.Vundo.Gen) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libaccess_output_http_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libmemcpymmxext_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libcolorthres_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libdtssys_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libi422_i420_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libimage_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libmemcpy3dn_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libmemcpymmx_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libntservice_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libquicktime_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libsimple_channel_mixer_plugin.dll (Trojan.Exploit) -> No action taken.

C:\Program Files\VideoLAN\VLC\plugins\libstream_out_es_plugin.dll (Trojan.Exploit) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP103\A0021308.dll (Trojan.Vundo.Gen) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP103\A0021356.dll (Trojan.Vundo.Gen) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025534.dll (Trojan.Vundo.Gen) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025539.dll (Trojan.Vundo.H) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025540.dll (Trojan.Vundo.H) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025541.dll (Trojan.Vundo.H) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025550.dll (Trojan.FakeAlert) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025597.dll (Trojan.Vundo.H) -> No action taken.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025598.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\trz4.tmp (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\vulademu.dll.tmp (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\buyenayo.dll.tmp (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\hiwumeku.dll.tmp (Trojan.Vundo.H) -> No action taken.

C:\Documents and Settings\home\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\wispex.html (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\i1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\i2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\i3.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\j1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\j2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\j3.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\jj1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\jj2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\jj3.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\l1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\l2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\l3.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\pix.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\t1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\t2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\Thumbs.db (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\up1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\up2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\w1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\w11.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\w2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\w3.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\w3.jpg (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\word.doc (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\wt1.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\wt2.gif (Rogue.YourPCProtector) -> No action taken.

C:\Program Files\schtml\images\wt3.gif (Rogue.YourPCProtector) -> No action taken.

C:\Your PC Protector\Your PC Protector.lnk (Rogue.PcProtector) -> No action taken.

C:\Your PC Protector.lnk (Rogue.PcProtector) -> No action taken.

C:\Program Files\nuar.old (Malware.Trace) -> No action taken.

C:\Program Files\wp3.dat (Malware.Trace) -> No action taken.

C:\Program Files\wp4.dat (Malware.Trace) -> No action taken.

======================================================================

Malwarebytes' Anti-Malware 1.44

Database version: 3730

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/12/2010 11:23:04 AM

mbam-log-2010-02-12 (11-23-04).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 148884

Time elapsed: 56 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 2

Registry Keys Infected: 5

Registry Values Infected: 3

Registry Data Items Infected: 3

Folders Infected: 5

Files Infected: 76

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

c:\WINDOWS\system32\depopuho.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\yozuyosa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{05c75b6f-2dd5-4a50-8e46-da50ff129f35} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ADBUPD (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mepapirol (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{05c75b6f-2dd5-4a50-8e46-da50ff129f35} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\depomimeh (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yozuyosa.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yozuyosa.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\Documents and Settings\home\Start Menu\Programs\Your PC Protector (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\Your PC Protector (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Your PC Protector (Rogue.PcProtector) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\depopuho.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\dorizala.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\gidahumu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hukubuhu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kirasahi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\leheziti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mikolobe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nadejafi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\nadusajo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\negokofi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rahobofo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ravebavi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vujigami.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yiriyidi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yozuyosa.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\PGUNUWIW\default[1].htm (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\home\Local Settings\Temporary Internet Files\Content.IE5\PGUNUWIW\BHOQS2lloHLBnBRDWZrZET0rHr2JTFeCHNA7AVSoeBDlw1fNRByx_062EtP5j691QTn3QUoLnkJ

NdQnU94Ifp_V4QU0FoK3fs8_bUcH9ZN2aL4UKoOidg_jhHzgEr4kd-RKyJ2NwwEk6bROkhGBursypRD5MTRA[1].htm (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libaccess_output_http_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libmemcpymmxext_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libcolorthres_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libdtssys_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libi422_i420_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libimage_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libmemcpy3dn_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libmemcpymmx_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libntservice_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libquicktime_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libsimple_channel_mixer_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\Program Files\VideoLAN\VLC\plugins\libstream_out_es_plugin.dll (Trojan.Exploit) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP103\A0021308.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP103\A0021356.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025534.dll (Trojan.Vundo.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025539.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025540.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025541.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025550.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025597.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{70FD1DB3-E30F-48EC-ABEA-2DE81F03A8C6}\RP105\A0025598.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\trz4.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vulademu.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\buyenayo.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hiwumeku.dll.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\Documents and Settings\home\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\wispex.html (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\i1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\i2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\i3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\j1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\j2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\j3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\jj1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\jj2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\jj3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\l1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\l2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\l3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\pix.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\t1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\t2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\Thumbs.db (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\up1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\up2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\w1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\w11.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\w2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\w3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\w3.jpg (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\word.doc (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\wt1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\wt2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Program Files\schtml\images\wt3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

C:\Your PC Protector\Your PC Protector.lnk (Rogue.PcProtector) -> Quarantined and deleted successfully.

C:\Your PC Protector.lnk (Rogue.PcProtector) -> Quarantined and deleted successfully.

C:\Program Files\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.

C:\Program Files\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\Program Files\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

&&&&&&&&&&&&&&&& Hijackthis log &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:27:26 AM, on 2/12/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe

C:\Program Files\SpoonProxy\spserv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\SpoonProxy\proxy.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Elantech\ETDCtrl.exe

C:\Program Files\Elantech\ETDDect.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\EeePC\ACPI\AsTray.exe

C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

C:\Program Files\EeePC\ACPI\AsEPCMon.exe

C:\WINDOWS\system32\igfxext.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe

C:\Program Files\OpenSSH\bin\cygrunsrv.exe

C:\Program Files\OpenSSH\usr\sbin\sshd.exe

C:\Documents and Settings\home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\home\My Documents\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eeepc.asus.com/global

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe

O4 - HKLM\..\Run: [ETDWareDetect] C:\Program Files\Elantech\ETDDect.exe

O4 - HKLM\..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe

O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe

O4 - HKLM\..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Shortcut to proxy.lnk = C:\Documents and Settings\home\proxy.bat

O4 - Startup: SpoonProxy.lnk = C:\Program Files\SpoonProxy\proxy.exe

O4 - Global Startup: SuperHybridEngine.lnk = ?

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240285653753

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1240285575840

O20 - AppInit_DLLs: c:\windows\system32\nutuhunu.dll ,vahoremo.dll

O21 - SSODL: muviwahur - {1f12919b-0b15-4ba3-8c8d-c850af005fc9} - c:\windows\system32\nutuhunu.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {1f12919b-0b15-4ba3-8c8d-c850af005fc9} - c:\windows\system32\nutuhunu.dll (file missing)

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: Palm Novacom (NovacomD) - Unknown owner - C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe

O23 - Service: OpenSSH Server (OpenSSHd) - Unknown owner - C:\Program Files\OpenSSH\bin\cygrunsrv.exe

O23 - Service: SpoonProxy (spserv) - Pi-Soft Consulting, LLC - C:\Program Files\SpoonProxy\spserv.exe

--

End of file - 6569 bytes

Link to post
Share on other sites

  • Staff

Hi,

Just some leftovers in the registry, so..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll (file missing)

O20 - AppInit_DLLs: c:\windows\system32\nutuhunu.dll ,vahoremo.dll

O21 - SSODL: muviwahur - {1f12919b-0b15-4ba3-8c8d-c850af005fc9} - c:\windows\system32\nutuhunu.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {1f12919b-0b15-4ba3-8c8d-c850af005fc9} - c:\windows\system32\nutuhunu.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

Let me know in your next reply how things are now.

Link to post
Share on other sites

I ran HijackThis and checked all items instructed. With all explorer windows (I don't use IE) closed I clicked Fix Checked and I seem to be in good shape. Your executable Mbam that you linked is what got me to the noticeable improvement though. I didn't notice anything wrong after running Mbam. I really appreciate all of the help!

Do you have any software security suggestions for this netbook w/ its primary function being an always on proxy server? I'm interested in the most efficient and task suited software for the power it has available.

Link to post
Share on other sites

  • Staff

Good to hear everything is OK again. ;)

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.