Jump to content

4 files and 5 hours equal 4 trojans


Recommended Posts

Hi everyone,

I'm new to this forum, so if I post incorrectly please advise. Anyway, I have used the awesome MAM to get rid off most of the problems, but 4 are keep coming back...Please help!

11/8/2008 4:35:42 AM

mbam-log-2008-11-08 (04-35-42).txt

Scan type: Quick Scan

Objects scanned: 46325

Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\wins\services.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\wins\wmsncs.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\repair\kasutio (Rootkit.Rustok) -> Delete on reboot.

C:\WINDOWS\system32\Drivers\etc\hosts.prev (Malware.Trace) -> Delete on reboot.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-11-08 10:34:34

PROTECTIONS: 1

MALWARE: 21

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

AVG Anti-Virus Free 8.0 Yes No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00290182 adware/outerinfo Adware No 0 Yes No hkey_local_machine\software\clickspring

00441523 Adware/AntivirusPro2009 Adware No 0 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP2\A0000051.dll

00442499 Adware/AntivirusPro2009 Adware No 0 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP2\A0000052.exe

00442539 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP3\A0002234.dll

00442549 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\pjtjcswm.dll

00442549 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\adxxwl.dll

00443148 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\waufjs.dll

00443148 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\beumri.dll

00443148 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\aulshrda.dll

00443148 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\qjrdbcsu.dll

00443149 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP4\A0006325.dll

00443149 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP3\A0002258.dll

00444804 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP4\A0008457.dll

00444807 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\upskncdh.dll

00444807 Spyware/Virtumonde Spyware No 1 Yes No C:\WINDOWS\system32\idqmuv.dll

02688464 Adware/DnsInsider Adware No 0 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP2\A0000156.exe

02888175 Adware/Zenosearch Adware No 0 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP2\A0000153.dll

02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP4\A0008589.sys

02902637 Rootkit/Nurech.BC HackTools No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP4\A0008590.sys

03165134 Trj/BHO.CB Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP4\A0008428.dll

03445432 Trj/Lineage.BZE Virus/Trojan No 1 Yes No D:\SYSTEM\PRI_SW\PowerDVDv7\PowerDVD 7 KG.exe

03548697 Trj/Clicker.ALY Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{73E42D02-590F-46BE-B215-0114E3C75CAF}\RP4\A0004304.dll

03548697 Trj/Clicker.ALY Virus/Trojan No 1 No No C:\WINDOWS\system32\g71.exe[■%%\

Link to post
Share on other sites

Hi 1972vet,

Thanks for the quick catch. Below the the MAM log:

Malwarebytes' Anti-Malware 1.30

Database version: 1373

Windows 5.1.2600 Service Pack 3

11/8/2008 4:35:42 AM

mbam-log-2008-11-08 (04-35-42).txt

Scan type: Quick Scan

Objects scanned: 46325

Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\wins\services.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\wins\wmsncs.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\repair\kasutio (Rootkit.Rustok) -> Delete on reboot.

C:\WINDOWS\system32\Drivers\etc\hosts.prev (Malware.Trace) -> Delete on reboot.

Link to post
Share on other sites

Download Sysclean Package & save it to your desktop.

  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract the lptxxx.zip pattern file into the same folder you created for sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.

Reboot the computer into "SAFE MODE".

Note: Some anti-virus programs will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:

  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file generated in the System Cleaner folder.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.

    [*]Exit when done, reboot normally and re-enable your anti-virus program.

This tool generates a log file (sysclean.log) in the same folder where the scan is completed. When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have the rights to scan some locations. The scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Please post the contents of your sysclean.log along with a fresh HijackThis log. Thanks!

Link to post
Share on other sites

Hi,

The sysclean did not do anything...i think.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:36:09 PM, on 11/9/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Megaupload\Mega Manager\MegaManager.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.officeally.com/XUpload.ocx

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O20 - AppInit_DLLs: karna.dat

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8029 bytes

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-11-09, 16:29:12, Auto-clean mode specified.

2008-11-09, 16:29:14, Failed to initialize Rootkit Driver.

2008-11-09, 16:29:14, Running scanner "C:\Sysclean\TSC.BIN"...

2008-11-09, 16:32:43, Scanner "C:\Sysclean\TSC.BIN" has finished running.

2008-11-09, 16:32:43, TSC Log:

Link to post
Share on other sites

The sysclean did not do anything...i think.

It did indeed...it found the malicious trojan clicker TROJ_CLICKER.AEL:

Virus Pattern Version : 643 (327868/327868 Patterns) (2008/11/06) (564300)

Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\Sysclean\lpt$vpn.643

C:\WINDOWS\system32\g71.exe [TROJ_CLICKER.AEL]

Please make sure you can view all filew:

* Click Start.

* Open My Computer.

* Select the Tools menu and click Folder Options.

* Select the View Tab.

* Under the Hidden files and folders heading select

Show hidden files and folders.

* Uncheck the Hide protected operating system files

(recommended) option.

* Click Yes to confirm.

* Click OK.

Please uninstall the following software:

Viewpoint Manager Service

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program name and click Remove.

Please run HijackThis again and check the box next to the following entries:

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)

O20 - AppInit_DLLs: karna.dat

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close all windows now except for the HijackThis application's window, then click the Fix Checked button.

Reboot the computer into Safe mode.

Locate and delete the following files/folders indicated in Bold text:

C:\PROGRAM FILES\AVG

C:\WINDOWS\system32\karna.dat

C:\Program Files\Viewpoint

Run Hijackthis click--> "Open the Misc Tools section" then -->"delete file on reboot"

(exact spelling counts!!! so dont browse to this file)

Copy/Paste the line below in bold into the File name box then click Open,

C:\WINDOWS\system32\g71.exe

Answer yes to the prompt to reboot the PC

Post back a fresh HijackThis log and advise how the system performs for you now. Thanks!

Link to post
Share on other sites

Hi 1972vet,

Thanks so much for guiding me thru this ordeal. I followed ur instructions verbatim except for a few that the files were not there. Viewpoint Manager Service was not in the add/remove, but I unistalled Viewpoint Media Player.

020- AppInit_Dlls: karna.dat

023- Service: Viewpoint

Both of these line were not found in hjack

C:\WINDOWS\system32\karna.dat

C:\Program Files\Viewpoint

Both of these were not found so I could not delete them

Everything else, I followed exactly, but the system were still acting sluggish like before especially when browser is opened. The malware report is the same with 4 stubborn files.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:19:25 PM, on 11/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\brsvc01a.exe

C:\WINDOWS\system32\brss01a.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.officeally.com/XUpload.ocx

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 6601 bytes

Malwarebytes' Anti-Malware 1.30

Database version: 1373

Windows 5.1.2600 Service Pack 3

11/10/2008 1:28:45 PM

mbam-log-2008-11-10 (13-28-38).txt

Scan type: Quick Scan

Objects scanned: 50518

Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\wins\services.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\wins\wmsncs.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\repair\kasutio (Rootkit.Rustok) -> No action taken.

C:\WINDOWS\system32\Drivers\etc\hosts.prev (Malware.Trace) -> No action taken.

I really need help to rid of these!

Link to post
Share on other sites

Looking back over your logs, it appears that the hijackthis log you posted previously, although you posted it before the log from the TrendProtect scan, the logs show you ran TrendProtect first, then ran your next hijackthis scan. The entries from that log are why I requested you to remove them in my last instruction. They appeared in that log.

Let's break out the big guns...

Please download combofix from This Webpage...and read through the instructions there for running the tool.

***Important Note***

Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please post back the following on your next reply:

C:\ComboFix.txt

New HijackThis log.

Link to post
Share on other sites

Hi,

After the Combofix, I noticed that some of the systray icons that went missing had returned (that felt good, thank you!). Anyway, now on the malwares, they are still there and affecting the system, especially when i open a browser whether it's Firefox or IE. For instant, if I type in address "www.malwarebytes.org" in the browser, I will get the blank no connection screen, but I hit refresh/go again, it will go to that site.

I scanned with the mam again to see if they are gone, so I attached the report for you to analyze. The malwares were usually found during the heuristics scan stage....thanks again for all the help.

ComboFix 08-11-09.04 - EU 2008-11-10 19:56:31.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2810 [GMT -8:00]

Running from: c:\documents and settings\EU\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\EU\Application Data\YMANTE~1

c:\program files\Bkav2006

c:\program files\Common Files\racle~1

c:\temp\tn3

c:\windows\system32\adxxwl.dll

c:\windows\system32\aulshrda.dll

c:\windows\system32\beumri.dll

c:\windows\system32\BkavAuto.vxd

c:\windows\system32\brsvgcee.dll

c:\windows\system32\drivers\BkavAuto.sys

c:\windows\system32\idqmuv.dll

c:\windows\system32\MSINET.oca

c:\windows\system32\pjtjcswm.dll

c:\windows\system32\qjrdbcsu.dll

c:\windows\system32\T2

c:\windows\system32\toqiyz.dll

c:\windows\system32\upskncdh.dll

c:\windows\system32\vshagxpq.dll

c:\windows\system32\waufjs.dll

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_BKAVAUTO

-------\Legacy_SYSLIB

((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))

.

2008-11-09 19:27 . 2008-11-09 19:27 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys

2008-11-09 16:23 . 2008-11-09 19:27 <DIR> d-------- C:\Sysclean

2008-11-08 13:36 . 2008-11-08 13:36 <DIR> d-------- c:\program files\Alwil Software

2008-11-08 12:00 . 2008-11-08 12:23 <DIR> d-------- c:\documents and settings\EU\.housecall6.6

2008-11-08 11:43 . 2008-11-08 12:00 <DIR> d-------- c:\windows\system32\HouseCall 6.6

2008-11-08 11:43 . 2008-11-08 11:43 <DIR> d-------- c:\documents and settings\EU\Application Data\HouseCall 6.6

2008-11-08 10:41 . 2008-11-08 10:41 <DIR> d-------- c:\program files\Trend Micro

2008-11-08 04:41 . 2008-11-08 04:41 <DIR> d-------- c:\program files\Panda Security

2008-11-08 04:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-08 03:32 . 2008-11-08 04:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-08 03:32 . 2008-11-08 03:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-08 03:03 . 2008-11-08 03:03 <DIR> d-------- c:\program files\FileASSASSIN

2008-11-08 01:45 . 2008-11-08 01:47 <DIR> d-------- c:\program files\RogueRemover PRO

2008-11-08 01:45 . 2008-11-08 01:45 2,014 -r-h----- c:\windows\system32\drivers\hosts

2008-11-08 01:40 . 2008-11-08 01:43 <DIR> d-------- c:\program files\RogueRemover

2008-11-08 00:29 . 2008-05-15 22:53 873,134 --a------ c:\windows\system32\oem36.inf

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\documents and settings\EU\Application Data\Malwarebytes

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-07 22:18 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-07 22:18 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-06 16:59 . 2008-11-06 16:59 9,662 --a------ c:\windows\system32\pinkip.ico

2008-11-06 10:37 . 2008-11-06 10:37 <DIR> d-------- c:\documents and settings\EU\Application Data\IUpd721

2008-11-06 10:28 . 2008-11-06 10:28 <DIR> d-------- c:\windows\system32\uvb

2008-11-06 10:28 . 2008-11-07 23:29 <DIR> d-------- c:\windows\system32\NPX

2008-11-06 10:28 . 2008-11-07 23:29 <DIR> d-------- c:\windows\system32\im

2008-11-06 10:27 . 2008-11-07 23:29 <DIR> d-------- c:\windows\system32\QI19

2008-11-06 10:27 . 2008-11-06 10:27 <DIR> d-------- c:\temp\NT32

2008-11-06 10:27 . 2008-11-10 19:58 <DIR> d-------- C:\Temp

2008-11-05 09:08 . 2008-11-05 09:08 <DIR> d-------- c:\windows\system32\LogFiles

2008-11-02 21:18 . 2008-11-02 21:18 4,286 --a------ c:\windows\system32\Jamster.ico

2008-11-02 21:08 . 2008-11-02 21:08 9,662 --a------ c:\windows\system32\ZoneAlarmIconUS.ico

2008-11-02 15:11 . 2008-11-02 15:11 <DIR> d-------- c:\documents and settings\EU\Application Data\AVGTOOLBAR

2008-11-02 15:11 . 2008-11-02 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2008-11-02 13:19 . 2008-11-02 13:19 10,863 --a------ c:\program files\Common Files\anatuhac.bin

2008-11-01 20:20 . 2008-11-01 20:20 19,780 --a------ c:\program files\Common Files\idysu.scr

2008-11-01 20:20 . 2008-11-01 20:20 18,495 --a------ c:\windows\system32\dabisemaq.pif

2008-11-01 20:20 . 2008-11-01 20:20 17,199 --a------ c:\windows\taqylox.dat

2008-11-01 20:20 . 2008-11-01 20:20 16,847 --a------ c:\windows\donagise._dl

2008-11-01 20:20 . 2008-11-01 20:20 16,761 --a------ c:\windows\system32\uxelu.dll

2008-11-01 20:20 . 2008-11-01 20:20 15,822 --a------ c:\program files\Common Files\wasodaf.dll

2008-11-01 20:20 . 2008-11-01 20:20 15,777 --a------ c:\documents and settings\All Users\Application Data\hifex.com

2008-11-01 20:20 . 2008-11-01 20:20 15,649 --a------ c:\windows\system32\bovo.scr

2008-11-01 20:20 . 2008-11-01 20:20 15,518 --a------ c:\windows\zocyja.scr

2008-11-01 20:20 . 2008-11-01 20:20 14,626 --a------ c:\documents and settings\EU\Application Data\xeroja.vbs

2008-11-01 20:20 . 2008-11-01 20:20 13,040 --a------ c:\documents and settings\All Users\Application Data\kikoro.com

2008-11-01 20:20 . 2008-11-01 20:20 12,220 --a------ c:\documents and settings\EU\Application Data\vytopasy.exe

2008-11-01 20:20 . 2008-11-01 20:20 11,354 --a------ c:\windows\hamyzymil.dat

2008-11-01 20:17 . 2008-11-01 20:17 19,971 --a------ c:\windows\qohopu.pif

2008-11-01 20:17 . 2008-11-01 20:17 19,680 --a------ c:\documents and settings\EU\Application Data\nufukeqy.scr

2008-11-01 20:17 . 2008-11-01 20:17 19,067 --a------ c:\windows\odubanypuf.vbs

2008-11-01 20:17 . 2008-11-01 20:17 18,655 --a------ c:\program files\Common Files\simo.pif

2008-11-01 20:17 . 2008-11-01 20:17 18,363 --a------ c:\windows\azotobaky._dl

2008-11-01 20:17 . 2008-11-01 20:17 17,043 --a------ c:\windows\system32\zovufec.inf

2008-11-01 20:17 . 2008-11-01 20:17 16,041 --a------ c:\windows\system32\qygu.sys

2008-11-01 20:17 . 2008-11-01 20:17 15,417 --a------ c:\program files\Common Files\ybiqolane.reg

2008-11-01 20:17 . 2008-11-01 20:17 15,175 --a------ c:\documents and settings\EU\Application Data\uqysanamew.exe

2008-11-01 20:17 . 2008-11-01 20:17 14,610 --a------ c:\windows\system32\hozu.db

2008-11-01 20:17 . 2008-11-01 20:17 14,484 --a------ c:\windows\robodak.scr

2008-11-01 20:17 . 2008-11-01 20:17 12,363 --a------ c:\windows\rajidawazo.bat

2008-11-01 20:17 . 2008-11-01 20:17 10,038 --a------ c:\windows\cipowe.reg

2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\windows\system32\scripting

2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\windows\l2schemas

2008-10-25 20:05 . 2008-10-25 20:05 <DIR> d-------- c:\windows\system32\en

2008-10-25 20:05 . 2008-10-25 20:05 <DIR> d-------- c:\windows\system32\bits

2008-10-25 20:02 . 2008-10-25 20:02 <DIR> d-------- c:\windows\ServicePackFiles

2008-10-24 02:24 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-10-14 20:25 . 2008-09-08 02:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-10-14 20:24 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2008-10-14 20:22 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-14 20:22 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-14 20:22 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-14 20:22 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-11 03:25 --------- d-----w c:\documents and settings\EU\Application Data\MegauploadToolbar

2008-11-10 20:57 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2008-11-08 01:45 --------- d-----w c:\program files\Validator5

2008-11-02 04:20 10,153 ----a-w c:\program files\Common Files\cavabomohu.lib

2008-10-25 06:02 --------- d-----w c:\documents and settings\EU\Application Data\dvdcss

2008-10-02 02:38 --------- d-----w c:\program files\eFax Messenger 4.4

2008-10-02 02:38 --------- d-----w c:\documents and settings\EU\Application Data\eFax Messenger

2008-10-02 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output

2008-10-02 02:37 --------- d-----w c:\documents and settings\EU\Application Data\j2 Global

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-11 02:54 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT

2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe

2007-06-24 22:59 477 ----a-w c:\program files\rarreg.key

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-11-19 2295072]

"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-07-31 95744]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]

"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]

"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE"=

"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51 13560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\shell\AutoRun\command - E:\Plextor.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e42d9e4-98ea-11dd-b75d-001a73bd021a}]

\Shell\AutoRun\command - F:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-RoxioEngineUtility - c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

HKLM-Run-RoxioAudioCentral - c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

.

------- Supplementary Scan -------

.

FireFox -: Profile - c:\documents and settings\EU\Application Data\Mozilla\Firefox\Profiles\1u25vzdb.default\

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-10 20:05:55

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\BRSS01A.EXE

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\rundll32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

.

**************************************************************************

.

Completion time: 2008-11-10 20:09:12 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-11 04:09:08

Pre-Run: 29,289,324,544 bytes free

Post-Run: 29,281,857,536 bytes free

218 --- E O F --- 2008-10-28 00:31:29

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:29:51 PM, on 11/10/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.officeally.com/XUpload.ocx

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 6324 bytes

Malwarebytes' Anti-Malware 1.30

Database version: 1373

Windows 5.1.2600 Service Pack 3

11/10/2008 8:18:22 PM

mbam-log-2008-11-10 (20-18-02).txt

Scan type: Quick Scan

Objects scanned: 46130

Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\wins\services.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\wins\wmsncs.exe (Trojan.Agent) -> No action taken.

C:\WINDOWS\repair\kasutio (Rootkit.Rustok) -> No action taken.

C:\WINDOWS\system32\Drivers\etc\hosts.prev (Malware.Trace) -> No action taken.

Link to post
Share on other sites

...I scanned with the mam again to see if they are gone, so I attached the report for you to analyze. The malwares were usually found during the heuristics scan stage....thanks again for all the help.

You still have some problems of course, and we'll get to all of them eventually...but please do NOT run any scans with anything unless directed, until we give you the "all clear". With some applications, removing partial malware entries could affect the outcome of the results that we are hoping for.

Please open a blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!

File::

c:\windows\system32\pinkip.ico

c:\windows\system32\Jamster.ico

c:\windows\system32\ZoneAlarmIconUS.ico

c:\program files\Common Files\anatuhac.bin

c:\program files\Common Files\idysu.scr

c:\windows\system32\dabisemaq.pif

c:\windows\taqylox.dat

c:\windows\donagise._dl

c:\windows\system32\uxelu.dll

c:\program files\Common Files\wasodaf.dll

c:\documents and settings\All Users\Application Data\hifex.com

c:\windows\system32\bovo.scr

c:\windows\zocyja.scr

c:\documents and settings\EU\Application Data\xeroja.vbs

c:\documents and settings\All Users\Application Data\kikoro.com

c:\documents and settings\EU\Application Data\vytopasy.exe

c:\windows\hamyzymil.dat

c:\windows\qohopu.pif

c:\documents and settings\EU\Application Data\nufukeqy.scr

c:\windows\odubanypuf.vbs

c:\program files\Common Files\simo.pif

c:\windows\azotobaky._dl

c:\windows\system32\zovufec.inf

c:\windows\system32\qygu.sys

c:\program files\Common Files\ybiqolane.reg

c:\documents and settings\EU\Application Data\uqysanamew.exe

c:\windows\system32\hozu.db

c:\windows\robodak.scr

c:\windows\rajidawazo.bat

c:\windows\cipowe.reg

c:\program files\Common Files\cavabomohu.lib

c:\program files\rarreg.key

Folder::

c:\documents and settings\EU\Application Data\IUpd721

c:\windows\system32\uvb

c:\windows\system32\NPX

c:\windows\system32\im

c:\windows\system32\QI19

c:\temp\NT32

c:\documents and settings\EU\Application Data\MegauploadToolbar

c:\documents and settings\All Users\Application Data\Viewpoint

Driver::

qygu

Link to post
Share on other sites

Hi 1972vet,

Sorry for not following directions (I was being hasty), but luckily, I did not remove the files after the scan. From now on I will follow ur directions to the teeth. Anyway, last nite BEFORE I've got ur message I already unintalled the megaupload toolbar (I will never do it again without consulting u first), so I thought I let u know. Please bear with me...thx.

Happy Veterans Day.

Link to post
Share on other sites

Hi,

Below is the report from CFScript...thanks.

ComboFix 08-11-09.04 - EU 2008-11-11 20:17:47.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2831 [GMT -8:00]

Running from: c:\documents and settings\EU\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\EU\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\documents and settings\All Users\Application Data\hifex.com

c:\documents and settings\All Users\Application Data\kikoro.com

c:\documents and settings\EU\Application Data\nufukeqy.scr

c:\documents and settings\EU\Application Data\uqysanamew.exe

c:\documents and settings\EU\Application Data\vytopasy.exe

c:\documents and settings\EU\Application Data\xeroja.vbs

c:\program files\Common Files\anatuhac.bin

c:\program files\Common Files\cavabomohu.lib

c:\program files\Common Files\idysu.scr

c:\program files\Common Files\simo.pif

c:\program files\Common Files\wasodaf.dll

c:\program files\Common Files\ybiqolane.reg

c:\program files\rarreg.key

c:\windows\azotobaky._dl

c:\windows\cipowe.reg

c:\windows\donagise._dl

c:\windows\hamyzymil.dat

c:\windows\odubanypuf.vbs

c:\windows\qohopu.pif

c:\windows\rajidawazo.bat

c:\windows\robodak.scr

c:\windows\system32\bovo.scr

c:\windows\system32\dabisemaq.pif

c:\windows\system32\hozu.db

c:\windows\system32\Jamster.ico

c:\windows\system32\pinkip.ico

c:\windows\system32\qygu.sys

c:\windows\system32\uxelu.dll

c:\windows\system32\ZoneAlarmIconUS.ico

c:\windows\system32\zovufec.inf

c:\windows\taqylox.dat

c:\windows\zocyja.scr

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\hifex.com

c:\documents and settings\All Users\Application Data\kikoro.com

c:\documents and settings\All Users\Application Data\Viewpoint

c:\documents and settings\EU\Application Data\IUpd721

c:\documents and settings\EU\Application Data\IUpd721\Logs\scns.log

c:\documents and settings\EU\Application Data\nufukeqy.scr

c:\documents and settings\EU\Application Data\uqysanamew.exe

c:\documents and settings\EU\Application Data\vytopasy.exe

c:\documents and settings\EU\Application Data\xeroja.vbs

c:\documents and settings\EU\Local Settings\Temporary Internet Files\bestwiner.stt

c:\documents and settings\EU\Local Settings\Temporary Internet Files\fbk.sts

c:\program files\Common Files\anatuhac.bin

c:\program files\Common Files\cavabomohu.lib

c:\program files\Common Files\idysu.scr

c:\program files\Common Files\simo.pif

c:\program files\Common Files\wasodaf.dll

c:\program files\Common Files\ybiqolane.reg

c:\program files\rarreg.key

c:\temp\NT32

c:\temp\NT32\zBV.log

c:\windows\azotobaky._dl

c:\windows\cipowe.reg

c:\windows\donagise._dl

c:\windows\hamyzymil.dat

c:\windows\odubanypuf.vbs

c:\windows\qohopu.pif

c:\windows\rajidawazo.bat

c:\windows\robodak.scr

c:\windows\system32\bovo.scr

c:\windows\system32\dabisemaq.pif

c:\windows\system32\hozu.db

c:\windows\system32\im

c:\windows\system32\Jamster.ico

c:\windows\system32\NPX

c:\windows\system32\pinkip.ico

c:\windows\system32\QI19

c:\windows\system32\qygu.sys

c:\windows\system32\uvb

c:\windows\system32\uxelu.dll

c:\windows\system32\ZoneAlarmIconUS.ico

c:\windows\system32\zovufec.inf

c:\windows\taqylox.dat

c:\windows\wiaserviv.log

c:\windows\zocyja.scr

.

((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))

.

2008-11-11 18:48 . 2008-11-11 18:48 <DIR> d-------- c:\documents and settings\EU\Application Data\EmailNotifier

2008-11-11 18:48 . 2008-11-11 18:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Megaupload

2008-11-11 18:47 . 2008-11-11 18:47 <DIR> d-------- c:\program files\Megaupload

2008-11-11 18:42 . 2008-11-11 18:42 <DIR> d-------- c:\documents and settings\EU\Application Data\Twain

2008-11-09 19:27 . 2008-11-09 19:27 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys

2008-11-09 16:23 . 2008-11-09 19:27 <DIR> d-------- C:\Sysclean

2008-11-08 13:36 . 2008-11-08 13:36 <DIR> d-------- c:\program files\Alwil Software

2008-11-08 12:00 . 2008-11-08 12:23 <DIR> d-------- c:\documents and settings\EU\.housecall6.6

2008-11-08 11:43 . 2008-11-08 12:00 <DIR> d-------- c:\windows\system32\HouseCall 6.6

2008-11-08 11:43 . 2008-11-08 11:43 <DIR> d-------- c:\documents and settings\EU\Application Data\HouseCall 6.6

2008-11-08 10:41 . 2008-11-08 10:41 <DIR> d-------- c:\program files\Trend Micro

2008-11-08 04:41 . 2008-11-08 04:41 <DIR> d-------- c:\program files\Panda Security

2008-11-08 04:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-08 03:32 . 2008-11-08 04:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-08 03:32 . 2008-11-08 03:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-08 03:03 . 2008-11-08 03:03 <DIR> d-------- c:\program files\FileASSASSIN

2008-11-08 01:45 . 2008-11-08 01:47 <DIR> d-------- c:\program files\RogueRemover PRO

2008-11-08 01:45 . 2008-11-08 01:45 2,014 -r-h----- c:\windows\system32\drivers\hosts

2008-11-08 01:40 . 2008-11-08 01:43 <DIR> d-------- c:\program files\RogueRemover

2008-11-08 00:29 . 2008-05-15 22:53 873,134 --a------ c:\windows\system32\oem36.inf

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\documents and settings\EU\Application Data\Malwarebytes

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-07 22:18 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-07 22:18 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-06 10:27 . 2008-11-11 20:19 <DIR> d-------- C:\Temp

2008-11-05 09:08 . 2008-11-05 09:08 <DIR> d-------- c:\windows\system32\LogFiles

2008-11-02 15:11 . 2008-11-02 15:11 <DIR> d-------- c:\documents and settings\EU\Application Data\AVGTOOLBAR

2008-11-02 15:11 . 2008-11-02 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\windows\system32\scripting

2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\windows\l2schemas

2008-10-25 20:05 . 2008-10-25 20:05 <DIR> d-------- c:\windows\system32\en

2008-10-25 20:05 . 2008-10-25 20:05 <DIR> d-------- c:\windows\system32\bits

2008-10-25 20:02 . 2008-10-25 20:02 <DIR> d-------- c:\windows\ServicePackFiles

2008-10-24 02:24 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-10-14 20:25 . 2008-09-08 02:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-10-14 20:24 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2008-10-14 20:22 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-14 20:22 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-14 20:22 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-14 20:22 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-12 03:18 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT

2008-11-12 02:48 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier

2008-11-12 02:47 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-11 05:26 --------- d-----w c:\documents and settings\EU\Application Data\dvdcss

2008-11-08 01:45 --------- d-----w c:\program files\Validator5

2008-10-02 02:38 --------- d-----w c:\program files\eFax Messenger 4.4

2008-10-02 02:38 --------- d-----w c:\documents and settings\EU\Application Data\eFax Messenger

2008-10-02 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output

2008-10-02 02:37 --------- d-----w c:\documents and settings\EU\Application Data\j2 Global

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-11-19 2295072]

"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-07-31 95744]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]

"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]

"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=onyrzv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE"=

"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51 13560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e42d9e4-98ea-11dd-b75d-001a73bd021a}]

\Shell\AutoRun\command - F:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-11 20:24:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

Completion time: 2008-11-11 20:26:02

ComboFix-quarantined-files.txt 2008-11-12 04:25:50

ComboFix2.txt 2008-11-11 04:09:13

Pre-Run: 39,047,229,440 bytes free

Post-Run: 39,067,291,648 bytes free

218 --- E O F --- 2008-10-28 00:31:29

Link to post
Share on other sites

The version of Adobe Reader that you have installed has a vulnerability that can cause some security issues for you. You should uninstall what you have and install the latest version Here. You can download the latest adobe flash player Here.

Please open another blank Notepad by clicking start-->run

Then, in the run box type Notepad.exe and click "OK".

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated along with a fresh HijackThis log. Also, please advise how the system is behaving for you now. Thanks!

File::

c:\Windows\System32\onyrzv.dll

Folder::

c:\documents and settings\All Users\Application Data\Megaupload

c:\program files\Megaupload

Registry::

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=-

Link to post
Share on other sites

Hi 1972vet,

How r u? Sorry for the delay. You were probably happy that I was not nagging you, just kidding. The system ran much smoother, and the pages loaded like they supposed to when browsing. Question, can I still use megaload manager and its toolbar after the computer is fixed? I will keep you informed when I use the computer more since I'm replying right after I follow ur fix instructions. Anyway, the computer feels like it runs much better, but I don't know if there are still any malwares, until you direct me to run the mam scan....thanks.

ComboFix 08-11-12.01 - EU 2008-11-13 23:55:06.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2788 [GMT -8:00]

Running from: c:\documents and settings\EU\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\EU\Desktop\CFScript.txt

* Created a new restore point

FILE ::

c:\windows\System32\onyrzv.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Megaupload

c:\documents and settings\All Users\Application Data\Megaupload\Megauper.exe

c:\program files\Megaupload

c:\program files\Megaupload\Mega Manager\company.url

c:\program files\Megaupload\Mega Manager\HS_License.html

c:\program files\Megaupload\Mega Manager\hs_regex.dll

c:\program files\Megaupload\Mega Manager\language\cn_str.txt

c:\program files\Megaupload\Mega Manager\language\ct_str.txt

c:\program files\Megaupload\Mega Manager\language\de_str.txt

c:\program files\Megaupload\Mega Manager\language\dk_str.txt

c:\program files\Megaupload\Mega Manager\language\en_str.txt

c:\program files\Megaupload\Mega Manager\language\es_str.txt

c:\program files\Megaupload\Mega Manager\language\fi_str.txt

c:\program files\Megaupload\Mega Manager\language\fr_str.txt

c:\program files\Megaupload\Mega Manager\language\it_str.txt

c:\program files\Megaupload\Mega Manager\language\jp_str.txt

c:\program files\Megaupload\Mega Manager\language\lang_ids

c:\program files\Megaupload\Mega Manager\language\nl_str.txt

c:\program files\Megaupload\Mega Manager\language\pl_str.txt

c:\program files\Megaupload\Mega Manager\language\pt_str.txt

c:\program files\Megaupload\Mega Manager\language\ru_str.txt

c:\program files\Megaupload\Mega Manager\language\sa_str.txt

c:\program files\Megaupload\Mega Manager\language\se_str.txt

c:\program files\Megaupload\Mega Manager\language\tr_str.txt

c:\program files\Megaupload\Mega Manager\language\vn_str.txt

c:\program files\Megaupload\Mega Manager\libeay32.dll

c:\program files\Megaupload\Mega Manager\logo.gif

c:\program files\Megaupload\Mega Manager\mega.smf

c:\program files\Megaupload\Mega Manager\MegaIeFn.dll

c:\program files\Megaupload\Mega Manager\MegaIEMn.dll

c:\program files\Megaupload\Mega Manager\megamanager-1.1.xpi

c:\program files\Megaupload\Mega Manager\MegaManager.exe

c:\program files\Megaupload\Mega Manager\mm_file.htm

c:\program files\Megaupload\Mega Manager\PCDLIB32.DLL

c:\program files\Megaupload\Mega Manager\plugins\npmmaud.dll

c:\program files\Megaupload\Mega Manager\plugins\npmmprog.dll

c:\program files\Megaupload\Mega Manager\plugins\npmmvid.dll

c:\program files\Megaupload\Mega Manager\plugins\npmmzip.dll

c:\program files\Megaupload\Mega Manager\product.url

c:\program files\Megaupload\Mega Manager\readme.txt

c:\program files\Megaupload\Mega Manager\res.dll

c:\program files\Megaupload\Mega Manager\ssleay32.dll

c:\program files\Megaupload\Mega Manager\support.url

c:\program files\Megaupload\Mega Manager\thirdPartyNotice.txt

c:\program files\Megaupload\Mega Manager\W3C_License.html

c:\program files\Megaupload\Mega Manager\wwwapp.dll

c:\program files\Megaupload\Mega Manager\wwwcache.dll

c:\program files\Megaupload\Mega Manager\wwwcore.dll

c:\program files\Megaupload\Mega Manager\wwwdir.dll

c:\program files\Megaupload\Mega Manager\wwwdll.dll

c:\program files\Megaupload\Mega Manager\wwwfile.dll

c:\program files\Megaupload\Mega Manager\wwwftp.dll

c:\program files\Megaupload\Mega Manager\wwwhtml.dll

c:\program files\Megaupload\Mega Manager\wwwhttp.dll

c:\program files\Megaupload\Mega Manager\wwwinit.dll

c:\program files\Megaupload\Mega Manager\wwwmime.dll

c:\program files\Megaupload\Mega Manager\wwwssl.dll

c:\program files\Megaupload\Mega Manager\wwwstream.dll

c:\program files\Megaupload\Mega Manager\wwwtrans.dll

c:\program files\Megaupload\Mega Manager\wwwutils.dll

.

((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))

.

2008-11-13 23:47 . 2008-11-13 23:47 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2008-11-13 23:46 . 2008-11-13 23:46 <DIR> d-------- c:\program files\Common Files\Adobe

2008-11-13 23:44 . 2008-11-13 23:53 <DIR> d-------- c:\program files\NOS

2008-11-13 23:44 . 2008-11-13 23:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2008-11-12 05:47 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 01:04 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2008-11-11 18:48 . 2008-11-11 18:48 <DIR> d-------- c:\documents and settings\EU\Application Data\EmailNotifier

2008-11-11 18:42 . 2008-11-11 18:42 <DIR> d-------- c:\documents and settings\EU\Application Data\Twain

2008-11-09 19:27 . 2008-11-09 19:27 142,096 --a------ c:\windows\system32\drivers\tmcomm.sys

2008-11-09 16:23 . 2008-11-11 21:33 <DIR> d-------- C:\Sysclean

2008-11-08 13:36 . 2008-11-08 13:36 <DIR> d-------- c:\program files\Alwil Software

2008-11-08 12:00 . 2008-11-08 12:23 <DIR> d-------- c:\documents and settings\EU\.housecall6.6

2008-11-08 11:43 . 2008-11-08 12:00 <DIR> d-------- c:\windows\system32\HouseCall 6.6

2008-11-08 11:43 . 2008-11-08 11:43 <DIR> d-------- c:\documents and settings\EU\Application Data\HouseCall 6.6

2008-11-08 10:41 . 2008-11-08 10:41 <DIR> d-------- c:\program files\Trend Micro

2008-11-08 04:41 . 2008-11-08 04:41 <DIR> d-------- c:\program files\Panda Security

2008-11-08 04:41 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-11-08 03:32 . 2008-11-08 04:08 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-11-08 03:32 . 2008-11-08 03:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-11-08 03:03 . 2008-11-08 03:03 <DIR> d-------- c:\program files\FileASSASSIN

2008-11-08 01:45 . 2008-11-08 01:47 <DIR> d-------- c:\program files\RogueRemover PRO

2008-11-08 01:45 . 2008-11-08 01:45 2,014 -r-h----- c:\windows\system32\drivers\hosts

2008-11-08 01:40 . 2008-11-08 01:43 <DIR> d-------- c:\program files\RogueRemover

2008-11-08 00:29 . 2008-05-15 22:53 873,134 --a------ c:\windows\system32\oem36.inf

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\documents and settings\EU\Application Data\Malwarebytes

2008-11-07 22:18 . 2008-11-07 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-07 22:18 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-11-07 22:18 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-11-06 10:27 . 2008-11-11 20:19 <DIR> d-------- C:\Temp

2008-11-05 09:08 . 2008-11-05 09:08 <DIR> d-------- c:\windows\system32\LogFiles

2008-11-02 15:11 . 2008-11-02 15:11 <DIR> d-------- c:\documents and settings\EU\Application Data\AVGTOOLBAR

2008-11-02 15:11 . 2008-11-02 15:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\windows\system32\scripting

2008-10-25 20:06 . 2008-10-25 20:06 <DIR> d-------- c:\windows\l2schemas

2008-10-25 20:05 . 2008-10-25 20:05 <DIR> d-------- c:\windows\system32\en

2008-10-25 20:05 . 2008-10-25 20:05 <DIR> d-------- c:\windows\system32\bits

2008-10-25 20:02 . 2008-10-25 20:02 <DIR> d-------- c:\windows\ServicePackFiles

2008-10-24 02:24 . 2008-10-15 08:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2008-10-14 20:25 . 2008-09-08 02:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys

2008-10-14 20:24 . 2008-09-15 04:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2008-10-14 20:22 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2008-10-14 20:22 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2008-10-14 20:22 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2008-10-14 20:22 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-11-12 03:18 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT

2008-11-12 02:48 --------- d-----w c:\documents and settings\All Users\Application Data\EmailNotifier

2008-11-12 02:47 --------- d--h--w c:\program files\InstallShield Installation Information

2008-11-11 05:26 --------- d-----w c:\documents and settings\EU\Application Data\dvdcss

2008-11-08 01:45 --------- d-----w c:\program files\Validator5

2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys

2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-02 02:38 --------- d-----w c:\program files\eFax Messenger 4.4

2008-10-02 02:38 --------- d-----w c:\documents and settings\EU\Application Data\eFax Messenger

2008-10-02 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\eFax Messenger 4.4 Output

2008-10-02 02:37 --------- d-----w c:\documents and settings\EU\Application Data\j2 Global

2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll

2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll

2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe

2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((( snapshot@2008-11-10_20.08.50.92 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys

+ 2008-11-13 01:45:07 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe

+ 2007-12-12 23:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe

- 2008-07-19 05:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll

+ 2008-10-16 22:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll

- 2008-04-14 00:12:01 1,306,624 -c----w c:\windows\system32\dllcache\msxml6.dll

+ 2008-09-10 01:14:56 1,307,648 -c----w c:\windows\system32\dllcache\msxml6.dll

- 2008-07-19 05:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll

+ 2008-10-16 22:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll

- 2008-07-19 05:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe

+ 2008-10-16 22:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe

- 2008-07-19 05:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll

+ 2008-10-16 22:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll

- 2008-07-19 05:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll

+ 2008-10-16 22:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll

- 2008-07-19 05:10:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll

+ 2008-10-16 22:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll

- 2008-07-19 05:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll

+ 2008-10-16 22:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll

- 2008-03-25 03:21:00 2,889,088 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2008-10-05 03:24:02 3,695,008 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32.dll

- 2008-03-25 03:21:00 218,496 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2008-10-05 03:24:04 235,936 ----a-w c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2008-11-14 07:42:47 84,661 ----a-w c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe

+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe

+ 2008-10-16 22:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll

+ 2008-10-16 22:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll

- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll

+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll

+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll

+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-11-19 2295072]

"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-07-31 95744]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]

"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]

"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-01-27 1179648]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]

"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]

"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]

"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]

"nwiz"="nwiz.exe" [2007-10-04 c:\windows\system32\nwiz.exe]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-26 c:\windows\system32\CHDAudPropShortcut.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 479232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Lytec Systems\\Lytec Medical XE\\W3DBSMGR.EXE"=

"c:\\Program Files\\Hp\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2006-11-02 15:51 13560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e42d9e4-98ea-11dd-b75d-001a73bd021a}]

\Shell\AutoRun\command - F:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-11-14 00:02:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\bu6pd70j.TMP

scan completed successfully

hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\BRSS01A.EXE

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\nvsvc32.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\MsPMSPSv.exe

c:\program files\Hewlett-Packard\Shared\hpqWmiEx.exe

c:\windows\system32\rundll32.exe

c:\program files\Hewlett-Packard\Shared\HpqToaster.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-11-14 0:05:51 - machine was rebooted

ComboFix-quarantined-files.txt 2008-11-14 08:05:46

ComboFix2.txt 2008-11-12 04:26:03

ComboFix3.txt 2008-11-11 04:09:13

Pre-Run: 93,114,208,256 bytes free

Post-Run: 93,122,158,592 bytes free

271 --- E O F --- 2008-11-14 01:40:13

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:10:47 AM, on 11/14/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\brss01a.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

O4 - HKLM\..\Run: [synTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\Hp\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe

O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - https://www.officeally.com/XUpload.ocx

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--

End of file - 6298 bytes

Link to post
Share on other sites

Those logs look fine. Let's reinstall your AVG8 now and run a manual update. Keep performing an update to the software until it no longer finds any more updates. Reboot to safe mode and run a complete system scan. Post back your results. Thanks!

Link to post
Share on other sites

Hi 1972vet,

Thanks for helping again. Below is the report from AGV. On my last post, I asked if when can I reinstall megamanager and megaload tool bar, but I did not get an o.k. from you, please advise...thanks

AVG 8.0 Anti-Virus command line scanner

Copyright © 1992 - 2008 AVG Technologies

Program version 8.0.145, engine 8.0.0

Virus Database: Version 270.9.4/1795 2008-11-17

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.

C:\Documents and Settings\Administrator\ntuser.dat.LOG Locked file. Not tested.

C:\Documents and Settings\Administrator\NTUSER.DAT Locked file. Not tested.

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Locked file. Not tested.

C:\Documents and Settings\EU\Application Data\Twain\Twain.exe Trojan horse Agent.ALNP Object was moved to Virus Vault.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.

C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.

C:\pagefile.sys Locked file. Not tested.

C:\System Volume Information\ Locked file. Not tested.

C:\WINDOWS\system32\config\default Locked file. Not tested.

C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\SAM Locked file. Not tested.

C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.

C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\software Locked file. Not tested.

C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\system Locked file. Not tested.

C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q5I3T271\millbuck2[1].exe Trojan horse SHeur2.EG Object was moved to Virus Vault.

D:\System Volume Information\ Locked file. Not tested.

D:\SYSTEM_DONOT_DELETE\PRI_SW\PowerDVDv7\PowerDVD 7 KG.exe Trojan horse Downloader.Generic7.AWVE Object was moved to Virus Vault.

------------------------------------------------------------

Objects scanned : 334470

Found infections : 3

Found PUPs : 0

Healed infections : 3

Healed PUPs : 0

Warnings : 0

------------------------------------------------------------

Link to post
Share on other sites

Your log looks clean now. Congratulations! The Megauploads MegaManager Toobar is spyware. I would not recommend using it.

Click start-->run...then copy and paste the Bold text below into the run box and click "OK":

ComboFix /u

Performing this function will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again for you automatically.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:

Kerio Personal Firewall

Zone Alarm

Outpost Free

Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Become familiar with the MalwareBytes anti-malware application. Use it often especially if you begin to notice the system performance behavior is not what it should be. Learn more about the program Here where you can also request assistance if you have some concerns about the programs findings.

***Note***

The licensed version provides real time protection and other automatic features otherwise not available.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?

Regards, and Happy Surfing!

Link to post
Share on other sites

This issue appears resolved and the thread is closed to prevent others from posting here.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.