Jump to content

Please help me..


cadz
 Share

Recommended Posts

Hello everyone, I am a newbie and looking for some help, my computer recently picked up a nasty trojan vundo, I have tried everything possible including malwarebytes, it seems to be the only one that detects it and removes it, but as soon as I turn my computer back on new trojans are found.. I give up, nothing I do seems to work, I stumbled on this forum and turn to it as my last hope of cleaning my computer..

here's a list of what is happening,

Trojan Vundo keys and registry won't delete even after malwarebytes quarantines its..

New trojan keeps poping up after I do a scan

my computer keeps shutting down in the middle of doing something..

I am frustrated and do hope someone can help me.. please.. thank you!

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hi cadz and welcome to Malwarebytes' :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.

  • The fixes are specific to your problem and should only be used for this issue on this machine!.

  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.

  • If you don't know, stop and ask! Don't keep going on.

  • Please reply to this thread. Do not start a new topic.

  • Refrain from running self fixes as this will hinder the malware removal process.

  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

Next:

Please download HijackThis from Here .

  • Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

  • Click the Install button.

  • Accept the license agreement .

  • The program will place a shortcut on your desktop. This will make it easier for you to access the tool when required.

  • Click Do a system scan and save a log file. A Notepad file will open.

  • To post the text, first you must highlight the entire text and then press the (Ctrl+C) keys which copies it to your clipboard.

  • Now paste the log into this thread using the (Ctrl + V) buttons.

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Next:

I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

Run HijackThis and click on Open the Misc Tools section.

  • Click Open Uninstall Manager...

  • Click Save list... and save it to your Desktop.

  • Copy and paste the file uninstall_list.txt into your next reply.

When completed the above, please post back the following:

  • Uninstall list.

  • HijackThis Log.

Link to post
Share on other sites

Hi cadz and welcome to Malwarebytes' :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.

  • The fixes are specific to your problem and should only be used for this issue on this machine!.

  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.

  • If you don't know, stop and ask! Don't keep going on.

  • Please reply to this thread. Do not start a new topic.

  • Refrain from running self fixes as this will hinder the malware removal process.

  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.

  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

Next:

Please download HijackThis from Here .

  • Choose the default location of C:\Program Files\Trend Micro\HijackThis as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

  • Click the Install button.

  • Accept the license agreement .

  • The program will place a shortcut on your desktop. This will make it easier for you to access the tool when required.

  • Click Do a system scan and save a log file. A Notepad file will open.

  • To post the text, first you must highlight the entire text and then press the (Ctrl+C) keys which copies it to your clipboard.

  • Now paste the log into this thread using the (Ctrl + V) buttons.

Next:

I would like to view a list of currently installed software applications on you're PC. How to provide as follows:

Run HijackThis and click on Open the Misc Tools section.

  • Click Open Uninstall Manager...

  • Click Save list... and save it to your Desktop.

  • Copy and paste the file uninstall_list.txt into your next reply.

When completed the above, please post back the following:

  • Uninstall list.

  • HijackThis Log.

Link to post
Share on other sites

Adobe Anchor Service CS3

Adobe Asset Services CS3

Adobe Bridge CS3

Adobe Bridge Start Meeting

Adobe Camera Raw 4.0

Adobe CMaps

Adobe Color - Photoshop Specific

Adobe Color EU Extra Settings

Adobe Color JA Extra Settings

Adobe Color NA Recommended Settings

Adobe Default Language CS3

Adobe Device Central CS3

Adobe Flash Player ActiveX

Adobe Fonts All

Adobe Help Viewer CS3

Adobe Linguistics CS3

Adobe PDF Library Files

Adobe Photoshop CS3

Adobe Photoshop CS3

Adobe Photoshop Elements 6.0

Adobe Reader 7.0.5

Adobe Setup

Adobe Stock Photos CS3

Adobe Type Support

Adobe Update Manager CS3

Adobe Version Cue CS3 Client

Adobe WinSoft Linguistics Plugin

Adobe XMP Panels CS3

Agere Systems PCI-SV92PP Soft Modem

Artistic Effects by Lokas Software

Bookworm Deluxe

CCleaner (remove only)

Customer Experience Enhancement

DISCover

Easy Internet Sign-up

Enhanced Multimedia Keyboard Solution

Eye Candy 3

Family Feud

FATE

Flip Words

GearDrvs

Google Toolbar for Internet Explorer

Google Toolbar for Internet Explorer

High Definition Audio Driver Package - KB888111

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Windows Media Player 10 (KB910393)

Hotfix for Windows XP (KB952287)

HP Boot Optimizer

HP Deskjet Printer Preload

HP DigitalMedia Archive

HP Document Viewer 6.1

HP DVD Play 2.1

HP Game Console

HP Imaging Device Functions 7.0

HP Photosmart 330,380,420,470,7800,8000,8200 Series

hp photosmart 7600 series

HP Photosmart Cameras 6.0

HP Photosmart for Media Center PC

HP Photosmart Premier Software 6.5

HP PSC & OfficeJet 5.3.B

HP PSC & OfficeJet 6.1.A

HP Rhapsody

HP Software Update

HP Solution Center and Imaging Support Tools 6.1

HP Web Helper

Intel Matrix Storage Manager

Intel® Graphics Media Accelerator Driver

Intel® PRO Network Connections Drivers

Intel® Quick Resume Technology Drivers

Intel® Quick Resume Technology Drivers

Intel

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:56:36 PM, on 12/22/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\dumprep.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\WINDOWS\System32\svchost.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe

C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O18 - Filter hijack: text/html - {022847ef-de4b-4a2d-8733-e88a0e9bde72} - C:\WINDOWS\system32\mst122.dll

O20 - AppInit_DLLs: yicelf.dll sxfssl.dll c:\windows\system32\likehiko.dll C:\WINDOWS\system32\pulasiya.dll c:\windows\system32\nelesoye.dll c:\windows\system32\yowokifo.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: byXRkkhE - byXRkkhE.dll (file missing)

O20 - Winlogon Notify: ddcCTnlM - ddcCTnlM.dll (file missing)

O20 - Winlogon Notify: tuvTnMFy - tuvTnMFy.dll (file missing)

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

Link to post
Share on other sites

Hi :)

I apoligise for the delay, if you recall this portion from my initial post:

Extra note: Please be aware as I am still in training all of my fixes/posts require prior checking by a Expert. So some delays may be inevitable, please be patient and I will reply again asap.

This is the case more so especially this time of year. Be rest assured I will post back with a course of action, in the meantime thank you for your patience as I realize how frustrating this may be.

Link to post
Share on other sites

Hi :P

hope that helps, please let me know if I did everything right, thank you so much!

You're welcome and yes you provided the logs I requested correctly.

Thank you very much, I appreciate you helping me, sorry I seem impatient..thank you again..

Not a problem I assure you.

At present you have the Real Time Protective feature of three security related applications active. This is not safe as a system conflict may occur and it actually lessens on-line protection. If you have multiple security applications installed, it is advisable to only use the active monitoring resource of one Anti-Spyware application and keep the others as on-demand scanners only.

Namely:

SpybotSD TeaTimer

SUPERAntiSpyware

Windows Defender

We will be disabling all three shortly so they do not interfere with the malware removal process and at some point fully disable two of them from becoming active with every system reboot.

CAUTION: SuperAntiSpyware comes with a program called Bootsafe, do not for any reason use this program, if used on an infected computer it could render it UNBOOTABLE.

Very Important!:

You appear to have no Anti-Virus software installed and running. This is a very unsafe practice when accessing the internet and most likely the cause of your malware problems. Download just one only of the two free anti-virus programs listed below please:

Install>> Update >> Carry Out a Complete Scan. Have it fix anything it finds.

Next:

Your appear to have the remnants of a Symantec(Norton) application installed. Also you have a older installation of Java, this is actually a security risk and can be used as a method for malware to re-infect a system. We will however install a up-to date version at a later date.

Now please carry out the following:

Go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

LiveUpdate (Symantec Corporation)

J2SE Runtime Environment 5.0 Update 5

Next:

Disable Spybot's TeaTimer:

This is a two step process.

First step:

  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the older version 1.4, Click on Exit Spybot S&D Resident
  • If you have the new version 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.

Second step, For Either Version:

  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident (shows a red/white shield).
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

Disable SUPERAntiSpyware:

  • Right-click on the shortcut from the system tray
  • Choose View Control Center (preferences/options)
  • On the General and Startup tab, uncheck Start SUPERAntispyware when Windows starts.
  • Click Close to exit.

Disable Windows Defender:

  • Go to Start > All Programs > Windows Defender.
  • Click on Tools at the top.
  • Under Settings, click on Options.
  • Under Automatic scanning, uncheck (untick) Automatically scan my computer (recommended) box.
  • Under Real-time protection options, uncheck (untick) Use real-time protection (recommended) box.
  • Click on the Save button at the bottom right hand corner.

Next:

I would like to see the last Malwarebytes' Anti-Malware log created (If available):

  • Launch Malwarebytes' Anti-Malware
  • Click on the Logs radio tab
  • It should be named: mbam-log 2008 MM DD (time).txt

Next:

We need to carry out a more in depth research of you system as follows:

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.

Make sure that RSIT.exe is on the your Desktop before running the application!

  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.

    [*]Please post the contents of both log.txt and info.txt.

Note: As a precaution I advise you keep your on-line activities to a bare minimum. I can appreciate how frustrating this may be but be rest assured I will work diligently upon your problem.

When completed the above, please post back the following:

  • Malwarebytes' Anti-Malware Log.
  • Both RSIT logs.
Link to post
Share on other sites

Thank you again so much, here is the log txt and the info txt

LOG

Logfile of random's system information tool 1.05 (written by random/random)

Run by HP_Administrator at 2008-12-25 05:32:18

Microsoft Windows XP Professional Service Pack 3

System drive C: has 188 GB (82%) free of 229 GB

Total RAM: 1014 MB (40% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:33:03 AM, on 12/25/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\HP_Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O18 - Filter hijack: text/html - {022847ef-de4b-4a2d-8733-e88a0e9bde72} - C:\WINDOWS\system32\mst122.dll

O20 - AppInit_DLLs: yicelf.dll sxfssl.dll c:\windows\system32\likehiko.dll c:\windows\system32\nelesoye.dll c:\windows\system32\yowokifo.dll C:\WINDOWS\system32\fivajubu.dll c:\windows\system32\bizikife.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: byXRkkhE - byXRkkhE.dll (file missing)

O20 - Winlogon Notify: ddcCTnlM - ddcCTnlM.dll (file missing)

O20 - Winlogon Notify: tuvTnMFy - tuvTnMFy.dll (file missing)

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bizikife.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\bizikife.dll

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

Link to post
Share on other sites

Here is the malwarebytes log

Malwarebytes' Anti-Malware 1.31

Database version: 1528

Windows 5.1.2600 Service Pack 3

12/25/2008 6:21:50 AM

mbam-log-2008-12-25 (06-21-50).txt

Scan type: Quick Scan

Objects scanned: 65558

Time elapsed: 48 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 7

Registry Values Infected: 4

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\fivajubu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\pugohawu.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\bizikife.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ede5855b-b002-482b-b24b-5f661b2830db} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ede5855b-b002-482b-b24b-5f661b2830db} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ede5855b-b002-482b-b24b-5f661b2830db} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dofahayozo (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm7124b594 (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fivajubu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fivajubu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fivajubu.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bizikife.dll -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\bizikife.dll -> Delete on reboot.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\pidagimu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\umigadip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\welolazu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\uzalolew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\pugohawu.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\bizikife.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\vetaweyo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fivajubu.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\fitozeba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi :P

It appears you actually ran a Malwarebytes' Anti-Malware scan rather than just provide a copy of a previous log I requested. If there was no log available you should just have informed myself, as running any scans I have not asked for may hinder the malware removal process.

Please refrain from doing so in the future, thank you.

Now your computer requires a Rebooted(re-start) for Malwarebytes' Anti-Malware to continue the disinfection process.

Please do this before proceeding with the below instructions, as this is vital.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Next:

Please download OTMoveIT3 to your Desktop.

  • Double-click OTMoveIt3.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
:processesexplorer.exe
:FilesC:\WINDOWS\wtC:\WINDOWS\WRSetup.dllC:\WINDOWS\7E819CE52C414C8DBAF0B49CC65C5562.TMPC:\WINDOWS\tasks\okhgffkj.jobC:\WINDOWS\tasks\MP Scheduled Scan.jobC:\WINDOWS\system32\79344276-.txtC:\WINDOWS\system32\anevenoy.iniC:\WINDOWS\system32\aqyafddw.exeC:\WINDOWS\system32\byxYOeCSC:\WINDOWS\system32\ccJQYcfe.iniC:\WINDOWS\system32\ihnnaqbk.exeC:\WINDOWS\system32\kdjnrpcb.exeC:\WINDOWS\system32\mst122.dllC:\WINDOWS\system32\rstBLkkj.iniC:\WINDOWS\system32\SCeOYxyb.iniC:\WINDOWS\system32\varigisu.dllC:\windows\system32\yowokifo.dll C:\WINDOWS\system32\umigadip.iniC:\WINDOWS\system32\uzalolew.iniC:\WINDOWS\system32\varigisu.dllC:\Program Files\WebrootC:\Documents and Settings\HP_Administrator\Application Data\WebrootC:\Documents and Settings\All Users\Application Data\WebrootC:\Documents and Settings\All Users\Application Data\N360BUOptions.iniC:\Program Files\Common Files\Symantec SharedC:\Documents and Settings\All Users\Application Data\Symantec
:Reg[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5AC16A77-C331-4EAB-99F9-59826FA25808}][-HKEY_CLASSES_ROOT\CLSID\{5AC16A77-C331-4EAB-99F9-59826FA25808}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6126A4CD-D699-48F5-9AC9-C2AA4A750BE3}][-HKEY_CLASSES_ROOT\CLSID\{6126A4CD-D699-48F5-9AC9-C2AA4A750BE3}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D85FDFB3-75A9-43F3-928A-28E26B766DC7}][-HKEY_CLASSES_ROOT\CLSID\{D85FDFB3-75A9-43F3-928A-28E26B766DC7}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"UserFaultCheck"=-"Windows Defender"=-[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SUPERAntiSpyware"=-[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\http://*.trymedia.com (HKLM)][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990301-3C9D-426D-81DF-AAB636FA4345}][-HKEY_CLASSES_ROOT\CLSID\{44990301-3C9D-426D-81DF-AAB636FA4345}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6A344D34-5231-452A-8A57-D064AC9B7862}][-HKEY_CLASSES_ROOT\CLSID\{6A344D34-5231-452A-8A57-D064AC9B7862}][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byXRkkhE][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcCTnlM][-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvTnMFy][HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]"{022847ef-de4b-4a2d-8733-e88a0e9bde72}"=-[-HKEY_CLASSES_ROOT\CLSID\{022847ef-de4b-4a2d-8733-e88a0e9bde72}][-HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 
:Commands[EmptyTemp][start Explorer][Reboot]
  • Return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTMoveIt3.

Next:

Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)

  • Double click once on RSIT.exe
  • RSIT will start running, at the disclaimer click on Continue.
  • When done, 1 log will be produced.
  • Post that in your next reply.

When completed the above, please post back the following:

  • How is your computer performing now, any other problems?
  • OTMoveIT3 Log.
  • A new RSIT Log.
Link to post
Share on other sites

Hi :P

It appears you actually ran a Malwarebytes' Anti-Malware scan rather than just provide a copy of a previous log I requested. If there was no log available you should just have informed myself, as running any scans I have not asked for may hinder the malware removal process.

Please refrain from doing so in the future, thank you.

Now your computer requires a Rebooted(re-start) for Malwarebytes' Anti-Malware to continue the disinfection process.

Please do this before proceeding with the below instructions, as this is vital.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go http://*.trymedia.com (HKLM)\\ not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{44990301-3C9D-426D-81DF-AAB636FA4345}\\ not found.

    Registry key HKEY_CLASSES_ROOT\CLSID\{44990301-3C9D-426D-81DF-AAB636FA4345}\\ not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6A344D34-5231-452A-8A57-D064AC9B7862}\\ not found.

    Registry key HKEY_CLASSES_ROOT\CLSID\{6A344D34-5231-452A-8A57-D064AC9B7862}\\ not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byXRkkhE\\ not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcCTnlM\\ not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvTnMFy\\ not found.

    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\\{022847ef-de4b-4a2d-8733-e88a0e9bde72} not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{022847ef-de4b-4a2d-8733-e88a0e9bde72}\ not found.

    Registry key HKEY_CLASSES_ROOT\CLSID\{022847ef-de4b-4a2d-8733-e88a0e9bde72}\\ not found.

    Registry key HKEY_CLASSES_ROOT\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\\ not found.

    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} not found.

    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\ not found.

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):6d,73,76,31,5f,30,00,00 /E : value set successfully!

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\"SecurityProviders"|"msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" /E : value set successfully!

    ========== COMMANDS ==========

    File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_YtjvPPR74i20qdn2tqXH scheduled to be deleted on reboot.

    File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log scheduled to be deleted on reboot.

    File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll scheduled to be deleted on reboot.

    File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_hphtra07.log scheduled to be deleted on reboot.

    File delete failed. C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF82D3.tmp scheduled to be deleted on reboot.

    User's Temp folder emptied.

    User's Temporary Internet Files folder emptied.

    User's Internet Explorer cache folder emptied.

    Local Service Temp folder emptied.

    File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

    Local Service Temporary Internet Files folder emptied.

    Windows Temp folder emptied.

    Java cache emptied.

    File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

    File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

    File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

    File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

    File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

    File delete failed. C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\XUL.mfl scheduled to be deleted on reboot.

    FireFox cache emptied.

    Temp folders emptied.

    Explorer started successfully

    OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12262008_152225

    Files moved on Reboot...

    File C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\etilqs_YtjvPPR74i20qdn2tqXH not found!

    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\hpodvd09.log moved successfully.

    DllUnregisterServer procedure not found in C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll

    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll NOT unregistered.

    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\IadHide5.dll moved successfully.

    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_hphtra07.log moved successfully.

    C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\~DF82D3.tmp moved successfully.

    File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_001_ moved successfully.

    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_002_ moved successfully.

    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_003_ moved successfully.

    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\Cache\_CACHE_MAP_ moved successfully.

    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\urlclassifier3.sqlite moved successfully.

    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\XUL.mfl moved successfully.

    I will now run the RSIT and post the log.

Link to post
Share on other sites

Here is the RSIT log, thank you so much for helping me, the computer feels much faster but I am still scared as to wether the trojans are completely gone..

Logfile of random's system information tool 1.05 (written by random/random)

Run by HP_Administrator at 2008-12-26 15:43:14

Microsoft Windows XP Professional Service Pack 3

System drive C: has 188 GB (82%) free of 229 GB

Total RAM: 1014 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:43:39 PM, on 12/26/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\DISC\DISCover.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Program Files\DISC\DiscStreamHub.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\HP_Administrator\Desktop\RSIT.exe

C:\Program Files\Trend Micro\HijackThis\HP_Administrator.exe

C:\WINDOWS\system32\igfxsrvc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O18 - Filter hijack: text/html - {022847ef-de4b-4a2d-8733-e88a0e9bde72} - (no file)

O20 - AppInit_DLLs: yicelf.dll sxfssl.dll c:\windows\system32\likehiko.dll c:\windows\system32\nelesoye.dll c:\windows\system32\yowokifo.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

Link to post
Share on other sites

Hi :)

I apoligise about the delay with myself replying, I have had some personal matters to attend to.

Why did you run a scan with Avira Antivir when I did not ask you to do so? and also apprantly attempting self fixes.

If you persist in running scans that I have not requested, and attempting self fixes, it will be pointless for me to continue working to clean up your system, as that would be entirely counterproductive, a waste of my time and effort. So, you need to make a decision, either you're going to fix this system on your own, or you can apply fixes under my instruction... one scenario or the other, you decide.

I will explain as to why:

Regardless what you may read here in this forum or elsewhere. Every computer is different and a specific methodology has to be devised then implemented for the situation and if not adhered to all it does is give the malware infections a chance to rebuild itself and the possibility even worse infections installed.

I have trained very hard to get to this stage were I am able to assist people like yourself who have unwittingly had their computer full prey to malware and actually I am a qualified IT Technician also. Which I utilize in a volunteer capacity smilier to my Anti-Malware role here in this forum and others I assist in.

Saying that lets get to work and clean your computer and I reiterate no more self fixes what so ever please! Thank you.

Next:

Malwarebyte's does not appear to be functiong correctly so I propose you uninstall as follows:

Now please go to Start >> Control Panel >> Add/Remove Programs and remove the following (if present):

Malwarebytes' Anti-Malware

Next:

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs can be read here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post that log in your next reply.

The log can also be found here:

  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

When completed the above, please post back the following:

  • Malwarebytes' Anti-Malware Log.
  • ComboFix Log.
  • A new HijackThis Log.
Link to post
Share on other sites

Hey there, np, I apologize if it seems like I am going ahead and doing stuff without being told to do so, I am trying to keep up with the directions as best as possible, I thought you wanted me to scan the computer when you told me to do this

(Very Important!:

You appear to have no Anti-Virus software installed and running. This is a very unsafe practice when accessing the internet and most likely the cause of your malware problems. Download just one only of the two free anti-virus programs listed below please:

Install>> Update >> Carry Out a Complete Scan. Have it fix anything it finds.

* AntiVir Free.

* Avast Home Edition.)

I am sorry again if I went ahead without you telling me to do so, I was trying to follow the directions as best as I read them :)

Hi :)

I apoligise about the delay with myself replying, I have had some personal matters to attend to.

Why did you run a scan with Avira Antivir when I did not ask you to do so? and also apprantly attempting self fixes.

If you persist in running scans that I have not requested, and attempting self fixes, it will be pointless for me to continue working to clean up your system, as that would be entirely counterproductive, a waste of my time and effort. So, you need to make a decision, either you're going to fix this system on your own, or you can apply fixes under my instruction... one scenario or the other, you decide.

I will explain as to why:

Regardless what you may read here in this forum or elsewhere. Every computer is different and a specific methodology has to be devised then implemented for the situation and if not adhered to all it does is give the malware infections a chance to rebuild itself and the possibility even worse infections installed.

I have trained very hard to get to this stage were I am able to assist people like yourself who have unwittingly had their computer full prey to malware and actually I am a qualified IT Technician also. Which I utilize in a volunteer capacity smilier to my Anti-Malware role here in this forum and others I assist in.

Link to post
Share on other sites

Here is the log from the combofix. I am currently running the new malwarebytes and will post as soon as the scan is finished.. thank you so much again for helping me:)

ComboFix 08-12-29.01 - HP_Administrator 2008-12-29 18:03:34.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.434 [GMT -8:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\program files\Common\helper.sig

D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com

.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-30 )))))))))))))))))))))))))))))))

.

2008-12-28 10:04 . 2008-04-13 17:12 159,232 --a------ c:\windows\system32\ptpusd.dll

2008-12-28 10:04 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2008-12-28 10:04 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys

2008-12-28 10:04 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

2008-12-26 15:21 . 2008-12-26 15:21 <DIR> d-------- C:\_OTMoveIt

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\program files\ERUNT

2008-12-25 05:32 . 2008-12-25 05:33 <DIR> d-------- C:\rsit

2008-12-25 05:19 . 2008-12-25 05:19 <DIR> d-------- c:\program files\Avira

2008-12-25 05:19 . 2008-12-25 05:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2008-12-22 13:51 . 2008-12-22 13:51 <DIR> d-------- c:\program files\Trend Micro

2008-12-21 15:07 . 2008-12-21 15:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-20 07:48 . 2008-12-20 07:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

2008-12-20 07:34 . 2008-12-20 07:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-20 07:34 . 2008-12-26 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-19 13:23 . 2008-12-19 13:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2008-12-19 12:46 . 2008-12-19 12:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-19 12:40 . 2008-12-21 15:07 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-19 12:40 . 2008-12-21 15:07 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2008-12-18 10:14 . 2008-12-18 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-17 14:02 . 2008-12-17 14:02 <DIR> d-------- c:\program files\Windows Defender

2008-12-13 16:04 . 2008-12-29 18:04 <DIR> d-------- c:\program files\Common

2008-12-01 05:19 . 2008-12-01 05:19 164 --a------ C:\install.dat

2008-11-30 19:05 . 2008-11-30 19:05 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2008-11-30 19:04 . 2008-12-29 17:59 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-30 19:04 . 2008-11-30 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-30 17:24 . 2008-11-30 17:24 <DIR> d-------- C:\VundoFix Backups

2008-11-12 17:19 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 17:19 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-28 02:23 1,336 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2008-12-25 17:20 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Yahoo!

2008-12-22 17:51 --------- d-----w c:\program files\CCleaner

2008-12-20 17:44 --------- d-----w c:\program files\Enigma Software Group

2008-12-19 23:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-19 23:14 --------- d-----w c:\program files\HP Games

2008-12-18 21:39 --------- d-----w c:\program files\GemMaster

2008-12-15 04:07 --------- d-----w c:\program files\Java

2008-12-08 19:17 --------- d-----w c:\program files\McAfee

2008-12-01 00:55 --------- d-----w c:\program files\MSN Games

2008-10-31 20:21 --------- d-----w c:\program files\Google

2008-10-31 02:04 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ

2008-09-13 19:56 44,544 ------w c:\windows\AWuninstall.exe

2006-12-16 21:15 251 ----a-w c:\program files\wt3d.ini

2008-09-18 20:47 6,144 --sha-w c:\windows\system32\wumoyuvo.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2008-12-01 1406192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2006-03-16 1077248]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-30 98304]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-05 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe []

S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

.

Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-30 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-12-10 c:\windows\Tasks\HPCeeSchedule.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-08 18:22]

2008-11-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-10-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-30 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)

MSConfigStartUp-dofahayozo - c:\windows\system32\wefenure.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: *.trymedia.com

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-29 18:10:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bsnygovs.0.cs 166442 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bsnygovs.cmdline 630 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bsnygovs.dll 0 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bsnygovs.err 0 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bsnygovs.out 715 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\bsnygovs.tmp 0 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\CSCA.tmp 688 bytes

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\RESB.tmp 1256 bytes

scan completed successfully

hidden files: 8

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\spool\drivers\w32x86\3\HPZIPM12.EXE

c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\ehome\ehmsas.exe

c:\program files\DISC\DiscStreamHub.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2008-12-29 18:17:00 - machine was rebooted

ComboFix-quarantined-files.txt 2008-12-30 02:16:53

Pre-Run: 197,102,174,208 bytes free

Post-Run: 197,494,317,056 bytes free

226 --- E O F --- 2008-11-28 04:06:50

Link to post
Share on other sites

Here is the MBAM log

Malwarebytes' Anti-Malware 1.31

Database version: 1571

Windows 5.1.2600 Service Pack 3

12/29/2008 8:35:56 PM

mbam-log-2008-12-29 (20-35-56).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)

Objects scanned: 234212

Time elapsed: 1 hour(s), 28 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Here is the Hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:38:07 PM, on 12/29/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\DISC\DiscUpdMgr.exe

C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\DISC\DiscStreamHub.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\windows\system\hpsysdrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://*.trymedia.com (HKLM)

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe (file missing)

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Intel

Link to post
Share on other sites

Hi :)

I am sorry again if I went ahead without you telling me to do so, I was trying to follow the directions as best as I read them

OK apology accepted. If there is absolutely anything you do not understand, stop what you are doing and inform myself straight away!

thank you so much again for helping me

You are very welcome.

DelDomains:

  • Right click Here and select Save As to download WinHelp2002's DelDomains.inf.
  • Please save the file to the the Desktop.
  • To run the inf file, right click on it and select Install.

Next:

COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    File::C:\install.datC:\windows\system32\wumoyuvo.dll


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Next:

New Java Installation and Online Scan:

Note: Please make sure that all programs are closed when installing Java and or if you choose not to re-install Java leave this part of the fix and inform myself in your next reply and we will run a altinitive online scan.

Java:

  • Click here to visit Java's website.
  • Scroll down to Java SE Runtime Environment (JRE) 6 Update 11. Click on Download.
  • Select Windows from the drop-down list for Platform.
  • Select Multi-language from the drop-down list for Language.
  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  • Click on jre-6u11-windows-i586-p.exe link to download it and save this to a convenient location.
  • Double click on jre-6u11-windows-i586-p.exe to install Java.

Online Scan:

  • Now please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms?
  • ComboFix Log.
  • Kaspersky results.
  • A new HijackThis Log.
Link to post
Share on other sites

Hi :)

Hello there, thank you again, I got as far as to doing the online scan but it's telling me a plugin is missing, which is the java, I have already downloaded the java but the Kaspersky won't read it, it is telling me it is missing, where should I go from here? thank you again

OK apology accepted. If there is absolutely anything you do not understand, stop what you are doing and inform myself straight away!

You are very welcome.

DelDomains:

  • Right click Here and select Save As to download WinHelp2002's DelDomains.inf.

  • Please save the file to the the Desktop.

  • To run the inf file, right click on it and select Install.

Next:

COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    File::

    C:\install.dat

    C:\windows\system32\wumoyuvo.dll

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    CFScriptB-4.gif

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Next:

New Java Installation and Online Scan:

Note: Please make sure that all programs are closed when installing Java and or if you choose not to re-install Java leave this part of the fix and inform myself in your next reply and we will run a altinitive online scan.

Java:

  • Click here to visit Java's website.

  • Scroll down to Java SE Runtime Environment (JRE) 6 Update 11. Click on Download.

  • Select Windows from the drop-down list for Platform.

  • Select Multi-language from the drop-down list for Language.

  • Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.

  • Click on jre-6u11-windows-i586-p.exe link to download it and save this to a convenient location.

  • Double click on jre-6u11-windows-i586-p.exe to install Java.

Online Scan:

  • Now please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.

  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.

  • When the downloads have finished, click on Settings.

  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs

      Archives

      Mail databases

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms?

  • ComboFix Log.

  • Kaspersky results.

  • A new HijackThis Log.

Link to post
Share on other sites

Hi :)

Hello there, thank you again, I got as far as to doing the online scan but it's telling me a plugin is missing, which is the java, I have already downloaded the java but the Kaspersky won't read it, it is telling me it is missing, where should I go from here? thank you again

You're very welcome!. OK we will try a alternative online scan as follows:

Please go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms?
  • ComboFix Log.
  • ESET Log.
  • A new HijackThis Log.
Link to post
Share on other sites

Hi :)

Do you still need help with your machine?

If the instructions are unclear or something isn't working, please let me know before proceeding.

Hello, I am sorry I have not responded, the problem is my computer shuts down completely in the middle of the scan every time I try to run a scan, I didn't want to respond to you until I actually had a full scan for you, but so far it scans for 3 hours the most and shuts down, I just feel really hopeless right now, I did get the log file from the combifix but that is as far as the computer will go, I am hoping if I shut it down for a couple hours I will be able to get a full virus scan..

another thing is while it was doing the last scan the avira started doing a programmed scan and found a couple trojan, it asked to have them quarantine and I did that( just so you know, I did not start the scan myself, it started on it's own)

so right now I am stuck, I will post the combifix file and try again to do another virus scan, I am not sure if you want me to do another hijackthis log yet as the virus scan is not completed..

please bare with me as I try to work with this computer as it keeps shutting down in the middle of work.. hopefully I should have a scan soon

ComboFix 08-12-29.01 - HP_Administrator 2008-12-31 9:03:37.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.447 [GMT -8:00]

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

C:\install.dat

c:\windows\system32\wumoyuvo.dll

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\install.dat

c:\windows\system32\wumoyuvo.dll

.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-31 )))))))))))))))))))))))))))))))

.

2008-12-29 23:46 . 2008-10-03 02:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll

2008-12-29 18:20 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-29 18:20 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-28 10:04 . 2008-04-13 17:12 159,232 --a------ c:\windows\system32\ptpusd.dll

2008-12-28 10:04 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys

2008-12-28 10:04 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys

2008-12-28 10:04 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll

2008-12-26 15:21 . 2008-12-26 15:21 <DIR> d-------- C:\_OTMoveIt

2008-12-26 15:11 . 2008-12-26 15:11 <DIR> d-------- c:\program files\ERUNT

2008-12-25 05:32 . 2008-12-25 05:33 <DIR> d-------- C:\rsit

2008-12-25 05:19 . 2008-12-25 05:19 <DIR> d-------- c:\program files\Avira

2008-12-25 05:19 . 2008-12-25 05:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira

2008-12-22 13:51 . 2008-12-22 13:51 <DIR> d-------- c:\program files\Trend Micro

2008-12-21 15:07 . 2008-12-21 15:07 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2008-12-20 07:48 . 2008-12-20 07:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET

2008-12-20 07:34 . 2008-12-20 07:39 <DIR> d-------- c:\program files\Spybot - Search & Destroy

2008-12-20 07:34 . 2008-12-26 17:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-19 13:23 . 2008-12-19 13:23 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2008-12-19 12:46 . 2008-12-19 12:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2008-12-19 12:40 . 2008-12-21 15:07 <DIR> d-------- c:\program files\SUPERAntiSpyware

2008-12-19 12:40 . 2008-12-21 15:07 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\SUPERAntiSpyware.com

2008-12-18 10:14 . 2008-12-18 10:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-17 14:02 . 2008-12-17 14:02 <DIR> d-------- c:\program files\Windows Defender

2008-12-13 16:04 . 2008-12-29 18:04 <DIR> d-------- c:\program files\Common

2008-11-30 19:05 . 2008-11-30 19:05 <DIR> d-------- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes

2008-11-30 19:04 . 2008-12-29 18:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2008-11-30 19:04 . 2008-11-30 19:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2008-11-30 17:24 . 2008-11-30 17:24 <DIR> d-------- C:\VundoFix Backups

2008-11-12 17:19 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll

2008-11-12 17:19 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-12-28 02:23 1,336 ----a-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat

2008-12-25 17:20 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Yahoo!

2008-12-22 17:51 --------- d-----w c:\program files\CCleaner

2008-12-20 17:44 --------- d-----w c:\program files\Enigma Software Group

2008-12-19 23:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2008-12-19 23:14 --------- d-----w c:\program files\HP Games

2008-12-18 21:39 --------- d-----w c:\program files\GemMaster

2008-12-15 04:07 --------- d-----w c:\program files\Java

2008-12-13 06:40 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll

2008-12-08 19:17 --------- d-----w c:\program files\McAfee

2008-12-01 00:55 --------- d-----w c:\program files\MSN Games

2008-10-31 20:21 --------- d-----w c:\program files\Google

2008-10-31 02:04 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\HPQ

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll

2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll

2008-10-16 22:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll

2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll

2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll

2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll

2008-10-16 22:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll

2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll

2008-10-16 22:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll

2008-10-16 22:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll

2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll

2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe

2008-10-16 22:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe

2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll

2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll

2008-10-16 22:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll

2008-10-16 13:11 70,656 ----a-w c:\windows\system32\dllcache\ie4uinit.exe

2008-10-16 13:11 13,824 ----a-w c:\windows\system32\dllcache\ieudinit.exe

2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll

2008-10-15 07:06 633,632 ----a-w c:\windows\system32\dllcache\iexplore.exe

2008-10-15 07:04 161,792 ----a-w c:\windows\system32\dllcache\ieakui.dll

2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll

2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll

2008-09-18 20:47 62,672 --sha-w c:\windows\system32\pulasiya.dll.tmp

2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys

2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys

2008-09-13 19:56 44,544 ------w c:\windows\AWuninstall.exe

2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll

2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll

2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys

2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll

2006-12-16 21:15 251 ----a-w c:\program files\wt3d.ini

.

((((((((((((((((((((((((((((( snapshot@2008-12-29_18.15.32.05 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-10-23 10:17:49 62,976 ----a-w c:\windows\$hf_mig$\KB955839\SP3QFE\tzchange.exe

+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB955839\spmsg.dll

+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB955839\spuninst.exe

+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB955839\update\spcustom.dll

+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB955839\update\update.exe

+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB955839\update\updspapi.dll

+ 2008-10-23 12:43:42 286,720 ----a-w c:\windows\$hf_mig$\KB956802\SP3QFE\gdi32.dll

+ 2008-07-08 13:02:01 17,272 ----a-w c:\windows\$hf_mig$\KB956802\spmsg.dll

+ 2008-07-08 13:02:02 231,288 ----a-w c:\windows\$hf_mig$\KB956802\spuninst.exe

+ 2008-07-08 13:02:01 26,488 ----a-w c:\windows\$hf_mig$\KB956802\update\spcustom.dll

+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB956802\update\update.exe

+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB956802\update\updspapi.dll

+ 2008-08-26 07:24:28 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll

+ 2008-08-26 07:24:28 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll

+ 2008-08-26 07:24:28 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll

+ 2008-08-26 07:24:28 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll

+ 2008-08-26 07:24:28 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll

+ 2008-08-25 08:37:59 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe

+ 2008-08-26 07:24:28 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll

+ 2008-08-26 07:24:28 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll

+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll

+ 2008-08-26 07:24:28 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll

+ 2008-08-26 07:24:29 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll

+ 2008-10-03 17:41:15 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll

+ 2008-08-26 07:24:29 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll

+ 2008-08-26 07:24:29 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll

+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe

+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe

+ 2008-08-26 07:24:30 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll

+ 2008-08-26 07:24:30 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll

+ 2008-08-26 07:24:30 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll

+ 2008-08-26 07:24:30 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll

+ 2008-08-26 07:24:30 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll

+ 2008-08-26 07:24:30 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll

+ 2008-08-26 07:24:30 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll

+ 2008-08-26 07:24:30 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll

+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe

+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll

+ 2008-08-26 07:24:30 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll

+ 2008-08-26 07:24:31 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll

+ 2008-08-26 07:24:31 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll

+ 2008-08-26 07:24:31 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll

+ 2008-08-27 08:24:32 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll

+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe

+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll

- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\advpack.dll

+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll

- 2008-08-26 07:24:28 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll

+ 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\dllcache\advpack.dll

- 2008-08-26 07:24:28 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll

+ 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dllcache\dxtmsft.dll

- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll

+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dllcache\dxtrans.dll

- 2008-08-26 07:24:28 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll

+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\dllcache\extmgr.dll

- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\dllcache\icardie.dll

+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\dllcache\icardie.dll

- 2008-08-26 07:24:28 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll

+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\dllcache\ieakeng.dll

- 2008-08-26 07:24:28 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll

+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\dllcache\ieaksie.dll

- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\dllcache\ieapfltr.dll

+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\dllcache\ieapfltr.dll

- 2008-08-26 07:24:29 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll

+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\dllcache\iedkcs32.dll

- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll

+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\dllcache\ieframe.dll

- 2008-08-26 07:24:29 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll

+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\dllcache\iernonce.dll

- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\dllcache\iertutil.dll

+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\dllcache\iertutil.dll

- 2008-08-26 07:24:30 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll

+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\dllcache\jsproxy.dll

+ 2008-06-11 10:47:52 96,768 ------w c:\windows\system32\dllcache\logagent.exe

- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\dllcache\msfeeds.dll

+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\dllcache\msfeeds.dll

- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll

+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\dllcache\msfeedsbs.dll

- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll

+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\dllcache\mshtmled.dll

- 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll

+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\dllcache\msrating.dll

- 2008-08-26 07:24:30 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll

+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\dllcache\mstime.dll

- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\dllcache\occache.dll

+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\dllcache\occache.dll

- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll

+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\dllcache\pngfilt.dll

- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\dllcache\url.dll

+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\dllcache\url.dll

- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\dllcache\urlmon.dll

+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\dllcache\urlmon.dll

- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll

+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\dllcache\webcheck.dll

- 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll

+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\dllcache\wininet.dll

+ 2008-06-11 10:58:16 988,672 ------w c:\windows\system32\dllcache\WMNetmgr.dll

+ 2008-06-11 10:58:24 2,330,624 ------w c:\windows\system32\dllcache\WMVCore.dll

- 2008-08-26 07:24:28 214,528 ----a-w c:\windows\system32\dxtrans.dll

+ 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll

- 2008-08-26 07:24:28 133,120 ----a-w c:\windows\system32\extmgr.dll

+ 2008-10-16 20:38:35 133,120 ----a-w c:\windows\system32\extmgr.dll

- 2008-08-26 07:24:28 63,488 ----a-w c:\windows\system32\icardie.dll

+ 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll

- 2008-08-25 08:37:59 70,656 ----a-w c:\windows\system32\ie4uinit.exe

+ 2008-10-16 13:11:09 70,656 ----a-w c:\windows\system32\ie4uinit.exe

- 2008-08-26 07:24:28 153,088 ----a-w c:\windows\system32\ieakeng.dll

+ 2008-10-16 20:38:35 153,088 ----a-w c:\windows\system32\ieakeng.dll

- 2008-08-26 07:24:28 230,400 ----a-w c:\windows\system32\ieaksie.dll

+ 2008-10-16 20:38:35 230,400 ----a-w c:\windows\system32\ieaksie.dll

- 2008-08-23 05:54:51 161,792 ----a-w c:\windows\system32\ieakui.dll

+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll

- 2008-08-26 07:24:28 383,488 ----a-w c:\windows\system32\ieapfltr.dll

+ 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll

- 2008-08-26 07:24:29 384,512 ----a-w c:\windows\system32\iedkcs32.dll

+ 2008-10-16 20:38:35 384,512 ----a-w c:\windows\system32\iedkcs32.dll

- 2008-10-03 17:41:15 6,066,176 ----a-w c:\windows\system32\ieframe.dll

+ 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll

- 2008-08-26 07:24:29 44,544 ----a-w c:\windows\system32\iernonce.dll

+ 2008-10-16 20:38:37 44,544 ----a-w c:\windows\system32\iernonce.dll

- 2008-08-26 07:24:29 267,776 ----a-w c:\windows\system32\iertutil.dll

+ 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll

- 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe

+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe

- 2008-08-26 07:24:30 27,648 ----a-w c:\windows\system32\jsproxy.dll

+ 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll

- 2005-08-04 08:29:52 96,768 ----a-w c:\windows\system32\logagent.exe

+ 2008-06-11 10:47:52 96,768 ----a-w c:\windows\system32\logagent.exe

+ 2008-12-09 23:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe

- 2008-08-26 07:24:30 459,264 ----a-w c:\windows\system32\msfeeds.dll

+ 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll

- 2008-08-26 07:24:30 52,224 ----a-w c:\windows\system32\msfeedsbs.dll

+ 2008-10-16 20:38:37 52,224 ----a-w c:\windows\system32\msfeedsbs.dll

- 2008-08-27 08:24:32 3,593,216 ----a-w c:\windows\system32\mshtml.dll

+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll

- 2008-08-26 07:24:30 477,696 ----a-w c:\windows\system32\mshtmled.dll

+ 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll

- 2008-08-26 07:24:30 193,024 ----a-w c:\windows\system32\msrating.dll

+ 2008-10-16 20:38:38 193,024 ----a-w c:\windows\system32\msrating.dll

- 2008-08-26 07:24:30 671,232 ----a-w c:\windows\system32\mstime.dll

+ 2008-10-16 20:38:39 671,232 ----a-w c:\windows\system32\mstime.dll

- 2008-08-26 07:24:30 102,912 ----a-w c:\windows\system32\occache.dll

+ 2008-10-16 20:38:39 102,912 ----a-w c:\windows\system32\occache.dll

- 2008-11-05 17:58:46 71,732 ----a-w c:\windows\system32\perfc009.dat

+ 2008-12-30 02:14:03 71,732 ----a-w c:\windows\system32\perfc009.dat

- 2008-11-05 17:58:46 442,466 ----a-w c:\windows\system32\perfh009.dat

+ 2008-12-30 02:14:03 442,466 ----a-w c:\windows\system32\perfh009.dat

- 2008-08-26 07:24:30 44,544 ----a-w c:\windows\system32\pngfilt.dll

+ 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll

- 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll

+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll

- 2008-07-11 12:42:28 62,976 ----a-w c:\windows\system32\tzchange.exe

+ 2008-10-23 10:06:59 62,976 ----a-w c:\windows\system32\tzchange.exe

- 2008-08-26 07:24:30 105,984 ----a-w c:\windows\system32\url.dll

+ 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll

- 2008-08-26 07:24:31 1,159,680 ----a-w c:\windows\system32\urlmon.dll

+ 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll

- 2008-08-26 07:24:31 233,472 ----a-w c:\windows\system32\webcheck.dll

+ 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll

- 2008-08-26 07:24:31 826,368 ----a-w c:\windows\system32\wininet.dll

+ 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll

- 2005-08-04 08:29:52 988,672 ----a-w c:\windows\system32\wmnetmgr.dll

+ 2008-06-11 10:58:16 988,672 ----a-w c:\windows\system32\WMNetmgr.dll

- 2006-12-07 04:14:51 2,330,624 ----a-w c:\windows\system32\wmvcore.dll

+ 2008-06-11 10:58:24 2,330,624 ----a-w c:\windows\system32\WMVCore.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"ccleaner"="c:\program files\CCleaner\ccleaner.exe" [2008-12-01 1406192]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-02-07 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-02-07 118784]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"DISCover"="c:\program files\DISC\DISCover.exe" [2006-03-16 1077248]

"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]

"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 90112]

"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]

"HP Software Update"="c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 49152]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 188416]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-30 98304]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-04-17 9117696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]

Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-05 36903]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-03 14:56 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\DISC\\DISCover.exe"=

"c:\\Program Files\\DISC\\DiscStreamHub.exe"=

"c:\\Program Files\\DISC\\myFTP.exe"=

"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-12-04 8944]

R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-12-04 55024]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

S2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe []

S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-04 7408]

.

Contents of the 'Scheduled Tasks' folder

2008-12-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-31 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 10:20]

2008-12-10 c:\windows\Tasks\HPCeeSchedule.job

- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2005-09-08 18:22]

2008-11-15 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-10-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-31 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\8kuev9ec.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-12-31 09:08:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2008-12-31 9:10:18

ComboFix-quarantined-files.txt 2008-12-31 17:10:13

ComboFix2.txt 2008-12-30 02:17:03

Pre-Run: 198,243,737,600 bytes free

Post-Run: 198,236,340,224 bytes free

400 --- E O F --- 2008-12-30 11:04:20

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.