Jump to content

Spyware Guard 2008 and then some. Help please.


Recommended Posts

Spyware Guard 2008 appears to be on my computer and won't go away with any basic scan it would seem. Other things appear to be hidden as well which forces me to run in safe mode otherwise my computer slows down so much that it eventually freezes up. Performing quick scans with Malwarebytes' shows an infected registry key or something that can't be deleted, and 2 other infections that say they are successfully deleted but always reappear directly afterward.

Malwarebytes' Anti-Malware 1.31

Database version: 1550

Windows 5.1.2600 Service Pack 2

12/27/2008 4:19:48 AM

mbam-log-2008-12-27 (04-19-48).txt

Scan type: Full Scan (C:\|)

Objects scanned: 163718

Time elapsed: 41 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 61

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP837\A0179156.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP840\A0179317.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP842\A0179462.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181704.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181706.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181708.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181710.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181712.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181721.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181804.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181821.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181850.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0181877.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0181878.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0183860.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0184860.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0184883.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184911.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184915.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184916.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184917.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185018.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185060.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185148.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185192.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185193.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185194.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185195.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185311.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185315.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185320.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185481.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0186503.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0188524.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0191524.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0193524.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194538.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194540.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194544.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194548.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194556.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0195566.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196586.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196587.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196588.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196589.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196590.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196592.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196593.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196594.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196595.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196596.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196597.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196598.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196599.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196600.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196601.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196614.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196615.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

;****************************************************************************

ANALYSIS: 2008-12-27 05:38:21

PROTECTIONS: 2

MALWARE: 18

SUSPECTS: 0

;****************************************************************************

PROTECTIONS

Description Version Active Updated

;===========================================================

Panda Antivirus WebAdmin 3.01.00 No No

Windows Defender 1.1.4104.0 No No

;===========================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;=========================================================== HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL

00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.doubleclick.net/]

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.atdmt.com/]

00141390 adware/cws.008k Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar

00141390 adware/cws.008k Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

00141390 adware/cws.008k Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.tribalfusion.com/]

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.com.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.bs.serving-sys.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.advertising.com/]

00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.advertising.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]

00185663 HackTool/NetCat.A HackTools No 0 No No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5.rar[router\FRITZ!Box\nc.exe]

00185663 HackTool/NetCat.A HackTools No 0 Yes No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5\router\FRITZ!Box\nc.exe

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]

00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.target.com/]

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\userinit.exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\dllcache\userinit.exe

03738741 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5.rar[ocr\netload.in\asmCaptcha\test.exe]

03738741 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5\ocr\netload.in\asmCaptcha\test.exe

04472478 Adware/WebSearch Adware No 0 Yes No C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196585.dll

04472478 Adware/WebSearch Adware No 0 Yes No C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185323.dll

;===========================================================

SUSPECTS

Sent Location 9

;===========================================================

;===========================================================

VULNERABILITIES

Id Severity Description 9

;===========================================================

108742 MEDIUM MS06-006 9

;===========================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:44:30 AM, on 12/27/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcclub.com

R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll

R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\RunOnce: [spybotDeletingA2149] command /c del "C:\WINDOWS\system32\bb1.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC2531] cmd /c del "C:\WINDOWS\system32\bb1.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA2276] command /c del "C:\WINDOWS\system32\cookie1.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingC6526] cmd /c del "C:\WINDOWS\system32\cookie1.dat"

O4 - HKLM\..\RunOnce: [spybotDeletingA2192] command /c del "C:\WINDOWS\system32\uniq.tll"

O4 - HKLM\..\RunOnce: [spybotDeletingC9226] cmd /c del "C:\WINDOWS\system32\uniq.tll"

O4 - HKCU\..\Run: [steam] "c:\program files\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\RunOnce: [spybotDeletingB826] command /c del "C:\WINDOWS\system32\bb1.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingD1014] cmd /c del "C:\WINDOWS\system32\bb1.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingB6524] command /c del "C:\WINDOWS\system32\cookie1.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingD9500] cmd /c del "C:\WINDOWS\system32\cookie1.dat"

O4 - HKCU\..\RunOnce: [spybotDeletingB6780] command /c del "C:\WINDOWS\system32\uniq.tll"

O4 - HKCU\..\RunOnce: [spybotDeletingD328] cmd /c del "C:\WINDOWS\system32\uniq.tll"

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Photags AutoDetect.lnk = C:\Program Files\PhoTags Express\Photags AutoDetect.exe

O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Broken Internet access because of LSP provider 'c:\docume~1\alex\locals~1\temp\ntdll64.dll' missing

O14 - IERESET.INF: START_PAGE_URL=http://www.pcclub.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\mozuzolo.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Panda anti-virus driver (PAVDRV) - Unknown owner - C:\WINDOWS\system32\Drivers\pavdrv51.sys (file missing)

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Sr\Compnts\Vr\pavsrv51.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 7217 bytes

Thanks in advance for any help anyone could give me.

Link to post
Share on other sites

Howdy there Slashatme

Download LSPFix from here

1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].

2. Open the lspfix folder and double-click on LSPFix.exe to start the program.

3. Check the "I know what I am doing" checkbox.

4. Select (highlight) all instances of ntdll64.dll in the left column under "Keep".

5. Click the arrow >> so it goes over to the right column under "Remove".

6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.

7. Restart your computer into normal operating mode

Once done....

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.