Jump to content

Infected with TR/Vundo.ME.71 - Need Help!

Recommended Posts

Tonight my anti-virus (Avira) popped up saying an unwanted program had tried to access my computer and had "deny access" checked. I clicked "ok", and within seconds there was another alert, and then another. I kept denying access and did a complete shut down of my computer.

I booted up in safe mode and ran a complete virus scan. At the end of the scan the report stated that I had 6 entries of TR/Vundo.ME.71. I selected the option specified - "repair all", and restarted my computer. But, when I rebooted I had numerous pop-ups of my anti-virus saying that TR/Vundo.ME.71 was trying to access my computer.

I shut down again and rebooted in safe mode. Malwarebytes won't open, so the only report I have is the one from my anti-virus, Avira.

Avira AntiVir Personal

Report file date: Sunday, June 06, 2010 19:34

Scanning for 2190565 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Save mode

Username : Owner

Computer name : YOUR-6JNHHU0520

Version information:

BUILD.DAT : 21701 Bytes 3/9/2010 10:29:00

AVSCAN.EXE : 466689 Bytes 11/20/2009 07:26:00

AVSCAN.DLL : 40705 Bytes 2/27/2009 18:58:24

LUKE.DLL : 209665 Bytes 2/20/2009 19:35:49

LUKERES.DLL : 12033 Bytes 2/27/2009 18:58:52

VBASE000.VDF : 19875328 Bytes 11/6/2009 07:25:59

VBASE001.VDF : 1372672 Bytes 11/19/2009 07:25:59

VBASE002.VDF : 3143680 Bytes 1/20/2010 20:06:11

VBASE003.VDF : 996864 Bytes 1/26/2010 20:09:06

VBASE004.VDF : 1579008 Bytes 3/5/2010 02:24:01

VBASE005.VDF : 2494464 Bytes 4/15/2010 05:32:36

VBASE006.VDF : 2294784 Bytes 6/2/2010 02:07:21

VBASE007.VDF : 2048 Bytes 6/2/2010 02:07:22

VBASE008.VDF : 2048 Bytes 6/2/2010 02:07:22

VBASE009.VDF : 2048 Bytes 6/2/2010 02:07:22

VBASE010.VDF : 2048 Bytes 6/2/2010 02:07:22

VBASE011.VDF : 2048 Bytes 6/2/2010 02:07:22

VBASE012.VDF : 2048 Bytes 6/2/2010 02:07:22

VBASE013.VDF : 2048 Bytes 6/2/2010 02:07:23

VBASE014.VDF : 2048 Bytes 6/2/2010 02:07:23

VBASE015.VDF : 2048 Bytes 6/2/2010 02:07:23

VBASE016.VDF : 2048 Bytes 6/2/2010 02:07:23

VBASE017.VDF : 2048 Bytes 6/2/2010 02:07:23

VBASE018.VDF : 2048 Bytes 6/2/2010 02:07:24

VBASE019.VDF : 2048 Bytes 6/2/2010 02:07:24

VBASE020.VDF : 2048 Bytes 6/2/2010 02:07:24

VBASE021.VDF : 2048 Bytes 6/2/2010 02:07:24

VBASE022.VDF : 2048 Bytes 6/2/2010 02:07:24

VBASE023.VDF : 2048 Bytes 6/2/2010 02:07:25

VBASE024.VDF : 2048 Bytes 6/2/2010 02:07:25

VBASE025.VDF : 2048 Bytes 6/2/2010 02:07:25

VBASE026.VDF : 2048 Bytes 6/2/2010 02:07:25

VBASE027.VDF : 2048 Bytes 6/2/2010 02:07:25

VBASE028.VDF : 2048 Bytes 6/2/2010 02:07:26

VBASE029.VDF : 2048 Bytes 6/2/2010 02:07:26

VBASE030.VDF : 2048 Bytes 6/2/2010 02:07:26

VBASE031.VDF : 87552 Bytes 6/6/2010 02:07:37

Engineversion :

AEVDF.DLL : 106868 Bytes 4/24/2010 05:31:52

AESCRIPT.DLL : 1352058 Bytes 6/3/2010 02:07:38

AESCN.DLL : 127347 Bytes 5/12/2010 17:27:00

AESBX.DLL : 254324 Bytes 4/24/2010 05:31:53

AERDL.DLL : 541043 Bytes 4/16/2010 05:33:56

AEPACK.DLL : 426358 Bytes 3/20/2010 01:58:53

AEOFFICE.DLL : 201081 Bytes 5/12/2010 17:27:00

AEHEUR.DLL : 2724214 Bytes 6/5/2010 02:07:24

AEHELP.DLL : 242038 Bytes 6/3/2010 02:07:29

AEGEN.DLL : 377205 Bytes 6/3/2010 02:07:28

AEEMU.DLL : 393588 Bytes 4/24/2010 05:31:49

AECORE.DLL : 192886 Bytes 5/12/2010 17:26:58

AEBB.DLL : 53618 Bytes 4/24/2010 05:31:48

AVWINLL.DLL : 18177 Bytes 12/12/2008 16:47:59

AVPREF.DLL : 44289 Bytes 9/9/2009 01:58:54

AVREP.DLL : 159784 Bytes 2/18/2010 02:03:13

AVREG.DLL : 36609 Bytes 12/5/2008 18:32:09

AVARKT.DLL : 292609 Bytes 3/24/2009 23:05:41

AVEVTLOG.DLL : 167169 Bytes 1/30/2009 18:37:08

SQLITE3.DLL : 326401 Bytes 1/28/2009 23:03:49

SMTPLIB.DLL : 28417 Bytes 2/2/2009 16:21:33

NETNT.DLL : 11521 Bytes 12/5/2008 18:32:10

RCIMAGE.DLL : 2438913 Bytes 5/15/2009 23:39:58

RCTEXT.DLL : 86785 Bytes 11/20/2009 07:25:57

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, D:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: off

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Deviating risk categories...........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Sunday, June 06, 2010 19:34

Starting search for hidden objects.

The driver could not be initialized.

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

12 processes with 12 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Master boot sector HD1

[iNFO] No virus was found!

Master boot sector HD2

[iNFO] No virus was found!

Master boot sector HD3

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Boot sector 'D:\'

[iNFO] No virus was found!

Starting to scan executable files (registry).


[DETECTION] Is the TR/Vundo.ME.71 Trojan

The registry was scanned ( '80' files ).

Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>


[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NS1OFA45\load[1].php

[DETECTION] Is the TR/Vundo.ME.71 Trojan

C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP23\A0001161.dll

[DETECTION] Is the TR/Vundo.99328.G.4 Trojan

C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP25\A0001325.dll

[DETECTION] Is the TR/Vundo.ME.71 Trojan


[DETECTION] Is the TR/Vundo.ME.71 Trojan


[DETECTION] Is the TR/Vundo.ME.71 Trojan

Begin scan in 'D:\' <HP_RECOVERY>

Beginning disinfection:


[DETECTION] Is the TR/Vundo.ME.71 Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The driver could not be initialized.

[NOTE] The file is scheduled for deleting after reboot.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NS1OFA45\load[1].php

[DETECTION] Is the TR/Vundo.ME.71 Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004

[WARNING] The source file could not be found.

[NOTE] Attempting to perform action using the ARK library.

[WARNING] Error in ARK library

[NOTE] The file is scheduled for deleting after reboot.

C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP23\A0001161.dll

[DETECTION] Is the TR/Vundo.99328.G.4 Trojan

[NOTE] The file was moved to '4c3c89b7.qua'!

C:\System Volume Information\_restore{6CD01810-EFB9-4AF0-A405-DE07EB8CD51D}\RP25\A0001325.dll

[DETECTION] Is the TR/Vundo.ME.71 Trojan

[NOTE] The file was moved to '4d442c70.qua'!


[DETECTION] Is the TR/Vundo.ME.71 Trojan

[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003

[WARNING] The file could not be deleted!

[NOTE] Attempting to perform action using the ARK library.

[NOTE] The driver could not be initialized.

[NOTE] The file is scheduled for deleting after reboot.


[DETECTION] Is the TR/Vundo.ME.71 Trojan

[NOTE] The file was moved to '4c7f89f8.qua'!

End of the scan: Sunday, June 06, 2010 22:54

Used time: 3:18:42 Hour(s)

The scan has been done completely.

12170 Scanned directories

593564 Files were scanned

6 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

0 Viruses and unwanted programs were repaired

3 Files were moved to quarantine

0 Files were renamed

1 Files cannot be scanned

593557 Files not concerned

21106 Archives were scanned

4 Warnings

7 Notes

Link to post
Share on other sites

Hello Leila! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

  • The process of cleaning your system may take some time, so please be patient.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • If you don't know or can't understand something please ask.
  • Do not install or uninstall any software or hardware, while work on.

Please follow these instructions:


Post all logs if you can.

Link to post
Share on other sites

Thanks Maniac,

I've got Malwarebytes already installed on my computer, but this virus isn't allowing Malwarebytes to open. Should I go ahead and download and run the other programs - DeFogger, DDS, and GMER, and post those scans here?


Link to post
Share on other sites

Thanks Maniac!

I can't get Malwarebytes to open and run. I think the virus/trojan has disabled it. But, I went ahead an download DeFogger and DDS and did those scans. I wanted to post them now, just in case they disappear from my desktop. I will do the GMER Rootkit Scanner next and post that one in a separate post.

Here is the DeFogger scan:

defogger_disable by jpshortstuff (

Log created at 21:58 on 07/06/2010 (Owner)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...


Here is the DDS Scan:

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK

Run by Owner at 22:06:17.39 on Mon 06/07/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.745 [GMT -7:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\System32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService


C:\Program Files\Mozilla Firefox\firefox.exe


C:\Documents and Settings\Owner\Desktop\dds.scr


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://srch-us7.hpwis.com/

BHO: {0f224aa6-0422-48c0-b474-c39fac444ed5} - mosadefe.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [CamMonitor] c:\program files\hewlett-packard\digital imaging\unload\hpqcmon.exe

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [jupejegaso] Rundll32.exe "mazoyabo.dll",s

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [pozojisin] Rundll32.exe "c:\windows\system32\rotawapo.dll",a

StartupFolder: c:\docume~1\owner\startm~1\programs\startup\eventr~1.lnk - c:\program files\mindscape\printmaster\PMREMIND.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 7.0\aoltray.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

mPolicies-explorer: <NO NAME> =

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: microsoft.com\.windowsupdate

Trusted Zone: windowsupdate.com

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {3BB1D69B-A780-4BE1-876E-F3D488877135} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab

DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/ultrashim.cab

DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37847.7197337963

DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Notify: igfxcui - igfxsrvc.dll

AppInit_DLLs: jasojife.dll c:\windows\system32\kipozepe.dll c:\windows\system32\rotawapo.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: kivegohem - {5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll

SSODL: dedonazuw - {2f474bcb-7190-48df-aa59-9d2ecd1133e3} - c:\windows\system32\rotawapo.dll

STS: gahurihor: {5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll

STS: mujuzedij: {2f474bcb-7190-48df-aa59-9d2ecd1133e3} - c:\windows\system32\rotawapo.dll

LSA: Notification Packages = scecli jasojife.dll

IFEO: MpCmdRun.exe - c:\windows\system32\svchost.exe

IFEO: MSASCui.exe - c:\windows\system32\svchost.exe

IFEO: MsMpEng.exe - c:\windows\system32\svchost.exe

IFEO: msseces.exe - c:\windows\system32\svchost.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\3fr781te.default\

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1601.7122\npCIDetect13.dll

FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npImgCtl.dll

FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll

FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}


FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-5-4 28552]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-21 11608]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-21 108289]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-21 185089]

S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-21 56816]

S2 FMS;Flash Media Server (FMS);c:\program files\macromedia\flash media server 2\FMSMaster.exe [2007-6-5 893031]

S2 FMSAdmin;Flash Media Administration Server;c:\program files\macromedia\flash media server 2\FMSAdmin.exe [2007-6-5 1171558]

S2 gupdate1c9e0e7f016fb78;Google Update Service (gupdate1c9e0e7f016fb78);c:\program files\google\update\GoogleUpdate.exe [2009-5-29 133104]

S2 mrtRate;mrtRate; [x]

S2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2008-2-13 202280]

S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2009-7-23 15872]

S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [2009-7-23 8704]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-5-27 38224]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]

=============== Created Last 30 ================

2010-06-08 04:58:04 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-05-28 04:51:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-28 04:51:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-28 04:51:01 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-05-07 02:04:06 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

1601-01-01 00:03:28 99328 --sha-w- c:\windows\system32\gujowude.dll

2010-03-04 06:10:34 99328 --sha-w- c:\windows\system32\hujinuya.dll

2010-03-02 06:09:10 100352 --sha-w- c:\windows\system32\mozewaya.dll

2010-03-07 18:11:49 99328 --sha-w- c:\windows\system32\rotawapo.dll

1601-01-01 00:03:28 99840 --sha-w- c:\windows\system32\rurajiye.dll

1601-01-01 00:03:28 100352 --sha-w- c:\windows\system32\yebineza.dll

2010-03-03 18:10:20 99328 --sha-w- c:\windows\system32\yonugese.dll

2010-03-03 06:09:55 99840 --sha-w- c:\windows\system32\yozezuna.dll

2010-01-08 05:15:00 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2008-09-11 15:09:24 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 22:07:43.50 ===============

The is the Attach Scan



DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 5/23/2003 7:33:21 PM

System Uptime: 6/7/2010 10:02:21 PM (0 hours ago)


Processor: Intel® Pentium® 4 CPU 2.66GHz | Socket 478 | 2666/133mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 107 GiB total, 85.228 GiB free.

D: is FIXED (FAT32) - 5 GiB total, 0.92 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is Removable

H: is Removable

I: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/6/2010 7:17:36 PM - System Checkpoint

RP2: 5/8/2010 6:42:05 PM - System Checkpoint

RP3: 5/10/2010 11:06:22 PM - System Checkpoint

RP4: 5/12/2010 6:30:51 AM - System Checkpoint

RP5: 5/12/2010 10:20:06 AM - Software Distribution Service 3.0

RP6: 5/13/2010 6:30:07 PM - System Checkpoint

RP7: 5/14/2010 8:13:21 PM - System Checkpoint

RP8: 5/15/2010 11:00:28 PM - System Checkpoint

RP9: 5/17/2010 4:43:49 AM - System Checkpoint

RP10: 5/18/2010 6:12:20 AM - System Checkpoint

RP11: 5/19/2010 1:56:07 PM - System Checkpoint

RP12: 5/20/2010 9:09:11 PM - System Checkpoint

RP13: 5/22/2010 2:24:44 AM - System Checkpoint

RP14: 5/24/2010 1:47:48 AM - System Checkpoint

RP15: 5/25/2010 2:22:39 AM - System Checkpoint

RP16: 5/26/2010 2:28:23 AM - System Checkpoint

RP17: 5/26/2010 9:00:17 AM - Software Distribution Service 3.0

RP18: 5/27/2010 5:53:22 PM - System Checkpoint

RP19: 5/27/2010 10:25:40 PM - Spybot-S&D Spyware removal

RP20: 5/28/2010 10:31:08 PM - System Checkpoint

RP21: 5/30/2010 10:07:30 AM - System Checkpoint

RP22: 5/31/2010 4:35:05 PM - System Checkpoint

RP23: 6/1/2010 9:48:35 PM - System Checkpoint

RP24: 6/4/2010 9:12:26 PM - System Checkpoint

RP25: 6/5/2010 9:29:55 PM - System Checkpoint

==== Installed Programs ======================

Ad-Aware SE Personal

Adobe Download Manager 2.0 (Remove Only)

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 7.0.9



Apple QuickTime Installer

ArcSoft Software Suite

Avira AntiVir Personal - Free Antivirus



CCleaner (remove only)

CD Label Design Software






Critical Update for Windows Media Player 11 (KB959772)




Detto IntelliMover Demo






EarthLink MDAC

easy Internet sign-up

Enhanced Multimedia Keyboard Solution

ESET Online Scanner

ESET Online Scanner v3




Google Chrome

Google Earth

Google Update Helper

Google Updater

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

hp center

HP Customer Participation Program 7.0

HP Digital Imaging Album Printing 1.0

HP Document Viewer 7.0

HP Imaging Device Functions 7.0

HP Instant Support

HP Memories Disc

HP Photo and Imaging 1.1 - Photosmart Cameras

HP Photo and Imaging 1.2 - Scanjet 4570c Series

HP Photosmart Essential

HP Photosmart Premier Software 6.5

HP Photosmart, Officejet and Deskjet 7.0.A

HP Product Assistant

HP Solution Center 7.0

hp toolkit

HP Update



Inactive HP Printer Drivers (Remove only)


Link to post
Share on other sites

I downloaded and ran the GMER Rootkit Scanner. Here is the scan:

GMER - http://www.gmer.net

Autostart scan 2010-06-07 23:07:36

Windows 5.1.2600 Service Pack 3

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>

dimsntfy@DLLName = %SystemRoot%\System32\dimsntfy.dll

igfxcui@DLLName = igfxsrvc.dll

WgaLogon@DLLName = WgaLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = jasojife.dll c:\windows\system32\kipozepe.dll c:\windows\system32\rotawapo.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>

AntiVirSchedulerService@ = "C:\Program Files\Avira\AntiVir Desktop\sched.exe"

AntiVirService@ = "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"

Fax@ = %systemroot%\system32\fxssvc.exe

FMS@ = "C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe"

FMSAdmin@ = "C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe"

gupdate1c9e0e7f016fb78@ = "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc

gusvc@ = "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

NVSvc@ = %SystemRoot%\System32\nvsvc32.exe

Pml Driver HPZ12@ = C:\WINDOWS\system32\HPZipm12.exe

ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys

sprtsvc_medicsp2@ = C:\Program Files\twc\medicsp2\bin\sprtsvc.exe /service /p medicsp2 /*file not found*/

WANMiniportService@ = "C:\WINDOWS\wanmpsvc.exe"

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@HotKeysCmdsC:\WINDOWS\System32\hkcmd.exe = C:\WINDOWS\System32\hkcmd.exe


@NvCplDaemonRUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

@nwiznwiz.exe /install = nwiz.exe /install


@CamMonitorc:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe = c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

@UpdateManager"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

@hpsysdrvc:\windows\system\hpsysdrv.exe = c:\windows\system\hpsysdrv.exe

@avgnt"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

@SunJavaUpdateSched"C:\Program Files\Common Files\Java\Java Update\jusched.exe" = "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

@jupejegasoRundll32.exe "mazoyabo.dll",s = Rundll32.exe "mazoyabo.dll",s

@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime

@pozojisinRundll32.exe "c:\windows\system32\rotawapo.dll",a = Rundll32.exe "c:\windows\system32\rotawapo.dll",a

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>

@updateMgr"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad >>>

@WPDShServiceObjC:\WINDOWS\system32\WPDShServiceObj.dll = C:\WINDOWS\system32\WPDShServiceObj.dll

@kivegohemc:\windows\system32\kipozepe.dll /*file not found*/ = c:\windows\system32\kipozepe.dll /*file not found*/

@dedonazuwc:\windows\system32\rotawapo.dll = c:\windows\system32\rotawapo.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler >>>

@{5abfe74a-cf59-4016-ba01-428a854575cf}c:\windows\system32\kipozepe.dll /*file not found*/ = c:\windows\system32\kipozepe.dll /*file not found*/

@{2f474bcb-7190-48df-aa59-9d2ecd1133e3}c:\windows\system32\rotawapo.dll = c:\windows\system32\rotawapo.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>

@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/

@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =

@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*SampleView*/C:\WINDOWS\System32\ShellvRTF.dll = C:\WINDOWS\System32\ShellvRTF.dll

@{1CDB2949-8F65-4355-8456-263E7C208A5D} /*Desktop Explorer*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll

@{1E9B04FB-F9E5-4718-997B-B8DA88302A47} /*Desktop Explorer Menu*/C:\WINDOWS\System32\nvshell.dll = C:\WINDOWS\System32\nvshell.dll

@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL

@{A4DF5659-0801-4A60-9607-1C48695EFDA9} /*Share-to-Web Upload Folder*/C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL = C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL

@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealOne Player\rpshell.dll = C:\Program Files\Real\RealOne Player\rpshell.dll

@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll

@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\system32\twext.dll = C:\WINDOWS\system32\twext.dll

@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll

@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll

@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll

@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/c:\WINDOWS\system32\dfshim.dll = c:\WINDOWS\system32\dfshim.dll

@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/C:\Program Files\Avira\AntiVir Desktop\shlext.dll = C:\Program Files\Avira\AntiVir Desktop\shlext.dll

@{11016101-E366-4D22-BC06-4ADA335C892B} /*IE History and Feeds Shell Data Source for Windows Search*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved@{BDEADF00-C265-11d0-BCED-00A0C90AB50F} /*Web Folders*/ = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir Desktop\shlext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>

a2FreeContMenu@{A155339D-CCCD-4714-85EB-3754B804C9DF} =

MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

Shell Extension for Malware scanning@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\Avira\AntiVir Desktop\shlext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>

@{0f224aa6-0422-48c0-b474-c39fac444ed5}mosadefe.dll /*file not found*/ = mosadefe.dll /*file not found*/

@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll

@{E7E6F031-17CE-4C07-BC86-EABFE594F69C}C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll = C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>

@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>

@Start Pagehttp://www.yahoo.com/ = http://www.yahoo.com/

@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>

dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll

its@CLSID = C:\WINDOWS\System32\itss.dll

mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll

ms-its@CLSID = C:\WINDOWS\System32\itss.dll

tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Owner\Start Menu\Programs\Startup = Event Reminder.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>

Adobe Reader Speed Launch.lnk = Adobe Reader Speed Launch.lnk

America Online 7.0 Tray Icon.lnk = America Online 7.0 Tray Icon.lnk

HP Digital Imaging Monitor.lnk = HP Digital Imaging Monitor.lnk

Microsoft Office.lnk = Microsoft Office.lnk

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s) in this sequence:

  1. MalwareBytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hi Maniac,

I've had problems with my Malwarebytes program. It won't open and launch the program. It says "missing shortcut" when I try to launch it.

Since it won't open, I went to add/remove programs and removed Malwarebytes, and then downloaded and installed a new copy of Malwarebytes from C-Net, thinking it would resolve the issue with Maywarebytes. But I keep getting the same message - "missing shortcut."

What do you advise?

Link to post
Share on other sites

  • Run Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.

Link to post
Share on other sites

Thanks Maniac,

Here's the scan with HijackThis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:37:28 AM, on 6/8/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:












C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {0f224aa6-0422-48c0-b474-c39fac444ed5} - mosadefe.dll (file missing)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe


O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [jupejegaso] Rundll32.exe "mazoyabo.dll",s

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [pozojisin] Rundll32.exe "c:\windows\system32\noregupu.dll",a

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs: jasojife.dll c:\windows\system32\kipozepe.dll c:\windows\system32\noregupu.dll

O21 - SSODL: kivegohem - {5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll (file missing)

O21 - SSODL: metojujif - {2fa57881-1799-471d-8b9f-b6049bb00b3e} - c:\windows\system32\noregupu.dll

O22 - SharedTaskScheduler: gahurihor - {5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll (file missing)

O22 - SharedTaskScheduler: mujuzedij - {2fa57881-1799-471d-8b9f-b6049bb00b3e} - c:\windows\system32\noregupu.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Flash Media Server (FMS) (FMS) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSMaster.exe

O23 - Service: Flash Media Administration Server (FMSAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Media Server 2\FMSAdmin.exe

O23 - Service: Google Update Service (gupdate1c9e0e7f016fb78) (gupdate1c9e0e7f016fb78) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE

O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SupportSoft Sprocket Service (medicsp2) (sprtsvc_medicsp2) - SupportSoft, Inc. - C:\Program Files\twc\medicsp2\bin\sprtsvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


End of file - 7738 bytes

Link to post
Share on other sites

Please follow these instructions:



  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thanks Maniac,

I must be doing something wrong. I downloaded the randomly named MBAM, and tried to place it in the Malwarebytes file, and I get a message that MBAM can't be found.

When I click on the randomly named MBAM, I get this message:


The System Cannot Find path Specified

Link to post
Share on other sites

Please do the following to see if it resolves the issue.

Temporarily disable your Anti-Virus and other security software while installing and running.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Link to post
Share on other sites

Hi Maniac,

I went to add/remove programs and uninstalled MBAM, restarted my computer in the normal mode and immediately had the virus - TR/Vundo.ME.71 - try to access my computer.

I shut down and booted up in safe mode and downloaded the MBAM-clean.exe program and tried to run it. I got the following error code:


Failed with error code 0

Link to post
Share on other sites

Thanks Maniac,

I skipped the Mbam-clean.exe, and downloaded and installed MBAM and I'm still getting this message:


the system cannot find path specified

I noted that when I initially went to add/remove programs and removed Malwarebytes, and restarted the computer, the icon for the renamed MBAM, which I named Explorer.exe was still on the desktop.

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:



[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi Maniac,

I followed your instructions and downloaded Combo-Fix and ran it. It took a while to run and create a report. Here's the report:

ComboFix 10-06-09.01 - Owner 06/09/2010 11:19:23.8.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.640 [GMT -7:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))








((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))


2010-06-08 20:35 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-08 20:35 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-08 17:17 . 2010-06-08 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


2010-06-09 04:18 . 2008-12-30 03:01 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-09 04:17 . 2010-05-06 06:10 -------- d-----w- c:\program files\SpywareBlaster

2010-05-21 09:55 . 2003-10-21 05:28 -------- d-----w- c:\program files\Google

2010-05-07 02:05 . 2005-10-16 19:07 -------- d-----w- c:\program files\Common Files\Java

2010-05-07 02:04 . 2010-05-07 02:04 -------- d-----w- c:\program files\Sun

2010-05-07 02:04 . 2010-05-07 02:04 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-05-07 02:04 . 2005-10-16 19:08 -------- d-----w- c:\program files\Java

2010-05-07 02:01 . 2003-05-30 02:52 53136 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-06 01:42 . 2010-05-06 01:42 -------- d-----w- c:\program files\ESET

2010-03-02 06:09 . 2010-03-02 06:09 100352 --sha-w- c:\windows\system32\mozewaya.dll

1601-01-01 00:03 . 1601-01-01 00:03 99840 --sha-w- c:\windows\system32\rurajiye.dll

2010-03-09 06:12 . 2010-03-09 06:12 100352 --sha-w- c:\windows\system32\tibarozo.dll

1601-01-01 00:03 . 1601-01-01 00:03 100352 --sha-w- c:\windows\system32\yebineza.dll

2010-03-03 06:09 . 2010-03-03 06:09 99840 --sha-w- c:\windows\system32\yozezuna.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))



*Note* empty entries & legit default entries are not shown



"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]


"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-09-09 114688]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]

"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-16 282624]

c:\documents and settings\Owner\Start Menu\Programs\Startup\

Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

America Online 7.0 Tray Icon.lnk - c:\program files\America Online 7.0\aoltray.exe [2003-4-9 32839]

HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2003-5-12 65588]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center UI.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center UI.lnk

backup=c:\windows\pss\hp center UI.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp center.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp center.lnk

backup=c:\windows\pss\hp center.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2007-05-09 00:24 54840 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2006-02-23 23:45 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\medicsp2]

2007-03-07 19:53 198184 ----a-w- c:\program files\twc\medicsp2\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2006-05-16 17:31 282624 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]

2002-04-18 01:42 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-05-30 05:30 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-12-09 18:59 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

2002-07-23 16:58 12288 ----a-w- c:\program files\Winamp3\winampa.exe



"c:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/4/2010 5:36 PM 28552]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/21/2009 10:56 PM 108289]

R2 FMS;Flash Media Server (FMS);c:\program files\Macromedia\Flash Media Server 2\FMSMaster.exe [6/5/2007 7:42 PM 893031]

R2 FMSAdmin;Flash Media Administration Server;c:\program files\Macromedia\Flash Media Server 2\FMSAdmin.exe [6/5/2007 7:42 PM 1171558]

R2 sprtsvc_medicsp2;SupportSoft Sprocket Service (medicsp2);c:\program files\twc\medicsp2\bin\sprtsvc.exe [2/13/2008 12:18 AM 202280]

S2 gupdate1c9e0e7f016fb78;Google Update Service (gupdate1c9e0e7f016fb78);c:\program files\Google\Update\GoogleUpdate.exe [5/29/2009 10:31 PM 133104]

S2 mrtRate;mrtRate; [x]

S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [7/23/2009 9:38 PM 15872]

S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [7/23/2009 9:40 PM 8704]

S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]


Contents of the 'Scheduled Tasks' folder

2010-06-09 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-30 05:30]

2010-06-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31]

2010-06-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-30 05:31]



------- Supplementary Scan -------


uStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://srch-us7.hpwis.com/

Trusted Zone: microsoft.com\.windowsupdate

Trusted Zone: windowsupdate.com

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\3fr781te.default\

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13149&gct=&gc=1&q=

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npImgCtl.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll

FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\


FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);


- - - - ORPHANS REMOVED - - - -

BHO-{0f224aa6-0422-48c0-b474-c39fac444ed5} - mosadefe.dll

HKLM-Run-jupejegaso - mazoyabo.dll

HKLM-Run-pozojisin - c:\windows\system32\vabazaja.dll

SharedTaskScheduler-{5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll

SharedTaskScheduler-{49080eea-838d-4671-9819-d3a131e33abb} - c:\windows\system32\vabazaja.dll

SSODL-kivegohem-{5abfe74a-cf59-4016-ba01-428a854575cf} - c:\windows\system32\kipozepe.dll

SSODL-safivarak-{49080eea-838d-4671-9819-d3a131e33abb} - c:\windows\system32\vabazaja.dll

MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe


catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-09 11:31

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0



--------------------- LOCKED REGISTRY KEYS ---------------------


@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)


--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1536)








------------------------ Other Running Processes ------------------------


c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Macromedia\Flash Media Server 2\FMSEdge.exe

c:\program files\Macromedia\Flash Media Server 2\FMSCore.exe

c:\program files\Java\jre6\bin\jqs.exe





c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe




Completion time: 2010-06-09 11:44:04 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-09 18:44

Pre-Run: 90,626,838,528 bytes free

Post-Run: 90,576,113,664 bytes free

- - End Of File - - 019A3F5970666C972203ED6A5AECC863

Link to post
Share on other sites

Hi Maniac,

I wanted to add, separate from the above report, that for the first time in several days, I'm able to operate in normal mode (not safe mode), and am not getting constant pop-ups from Avira saying that TR/Vundo.ME.71 is trying to access my computer. I've turned my anti-virus back on, after Combo-Fix was completed, to operate safely.


Link to post
Share on other sites

Hi Maniac,

I tried to run MBAM and I'm still getting the same error message:


The system cannot find path specified

The icons for MBAM, MBAM-Clean, and the renamed MBAN (Explorer.exe) are still on my desktop.

Link to post
Share on other sites

Hi Maniac,

Success! I uninstalled and reinstalled Malwarebytes and it updated and did a scan, finding 5 objects. Here's the scan:

Malwarebytes' Anti-Malware 1.46


Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/9/2010 12:44:47 PM

mbam-log-2010-06-09 (12-44-47).txt

Scan type: Quick scan

Objects scanned: 145529

Time elapsed: 13 minute(s), 31 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mozewaya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\rurajiye.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tibarozo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yebineza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yozezuna.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi Maniac,

Everything seems to be running smoothly.

Something interesting about the Malwarebytes scan. During the scan, my anti-virus, Avira, kept popping up with alerts that TR/Vundo.ME.71 was trying to access my computer with the "deny access" option checked. I kept denying access and the scan ran the full course. When the scan was complete and I went to the "show results" area, I got several alerts from Avira that TR/Vundo.ME.71 was trying to access my computer. I kept denying access and clicked on the fix all. Malwarebytes advised a reboot and did a reboot and since then no more alerts from Avira.

That was the first time I've ever had a virus or trojan try to interrupt Malwarebytes.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.