 That Annoying Win32:vundo@dll, Losing Task Manager privileges and My Computer info |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.
Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help DO NOT post a ComboFix log unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 May 31 2008, 11:52 PM
Post
#1
|
|
|
New Member  Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268  |
I lose the use of task manager -Admin removed privileges- (I'm admin) My Computer icon only list documents . System slows. Numerous viruses caught and deleted but they reinstall and I cannot remove the BHO which Hijackthis says is being so helpful. here are the logs Deckard's System Scanner v20071014.68 Extra logfile - please post this as an attachment with your post. -------------------------------------------------------------------------------- -- System Information ---------------------------------------------------------- Microsoft Windows XP Professional (build 2600) SP 2.0 Architecture: X86; Language: English CPU 0: Intel® Pentium® M processor 1.60GHz Percentage of Memory in Use: 40% Physical Memory (total/avail): 1271.37 MiB / 751.77 MiB Pagefile Memory (total/avail): 3031.3 MiB / 2562.63 MiB Virtual Memory (total/avail): 2047.88 MiB / 1923.98 MiB C: is Fixed (NTFS) - 74.52 GiB total, 20.42 GiB free. D: is CDROM (No Media) \\.\PHYSICALDRIVE0 - TOSHIBA MK8026GAX - 74.53 GiB - 1 partition \PARTITION0 (bootable) - Installable File System - 74.52 GiB - C: -- Security Center ------------------------------------------------------------- AUOptions is scheduled to auto-install. Windows Internal Firewall is enabled. FirstRunDisabled is set. FW: Sunbelt Personal Firewall v4.5.916 T (Sunbelt) Disabled AV: AVG 7.5.524 v7.5.524 (Grisoft) AV: avast! antivirus 4.8.1201 [VPS 080530-0] v4.8.1201 (ALWIL Software) Disabled [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe" "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe" "C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax" "C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" -- Environment Variables ------------------------------------------------------- ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\Mike\Application Data CLIENTNAME=Console CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=MIKE ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\Mike LOGONSERVER=\\MIKE NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\COMMON~1\SONICS~1\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0d08 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\Mike\LOCALS~1\Temp TMP=C:\DOCUME~1\Mike\LOCALS~1\Temp USERDOMAIN=MIKE USERNAME=Mike USERPROFILE=C:\Documents and Settings\Mike windir=C:\WINDOWS -- User Profiles --------------------------------------------------------------- Mike (admin) Joel (admin) LeeAnn Administrator (admin) -- Add/Remove Programs --------------------------------------------------------- --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 --> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF} Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe Adobe MPEG Encoder --> MsiExec.exe /I{9811A185-3D3D-11D6-9E14-00036D172B00} Adobe Premiere 6.5 --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.5\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.5\Uninst.dll" Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log Adobe Type Manager 4.1 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Adobe Type Manager\DeIsL1.isu" -c"C:\Program Files\Adobe Type Manager\UNINST.DLL" Advanced RealMedia Export Plug-in for Premiere 6.0 --> C:\Program Files\Adobe\Premiere 6.5\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0 Alien Shooter --> MsiExec.exe /X{C652A4A8-B82C-43C4-86AA-3753CDACFF3F} ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL Boggle® --> C:\PROGRA~1\SHOCKW~1.COM\Boggle\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\Boggle\INSTALL.LOG Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE} C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly Camp Funshine: Carrie the Caregiver 3 --> C:\PROGRA~1\SHOCKW~1.COM\CAMPFU~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\CAMPFU~1\INSTALL.LOG CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe" Confidence Online Portal Edition for Ameritrade --> rundll32 url.dll,FileProtocolHandler C:\Documents and Settings\Mike\Application Data\WholeSecurity\CAT\UninstallPE.html Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s Drop 2 --> C:\PROGRA~1\eGames\DROP2~1\UNWISE.EXE C:\PROGRA~1\eGames\DROP2~1\INSTALL.LOG DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe" DVDit! LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24D221-448E-11D4-A499-0050DA6E827C}\Setup.exe" -L0x9 eGames GameButler --> C:\PROGRA~1\eGames\GAMEBU~1\UNWISE.EXE C:\PROGRA~1\eGames\GAMEBU~1\INSTALL.LOG EVEREST Ultimate Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe" Flipster Twin Pack --> C:\PROGRA~1\eGames\FLIPST~1\UNWISE.EXE C:\PROGRA~1\eGames\FLIPST~1\INSTALL.LOG Generic LT Soft --> MsiExec.exe /I{E886B505-E8EE-4074-8FEF-FE6A062C1C7F} Glary Utilities 2.2.1.63 --> "C:\Program Files\Glary Utilities\unins000.exe" Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72} GoToAssist 8.0.0.480 --> C:\Program Files\Citrix\GoToAssist\480\G2AUninstaller.exe /uninstall High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe HijackThis 2.0.2 --> "C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Backup Zip Files\HijackThis.exe" /uninstall Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe" Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592 Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe J2SE Runtime Environment 5.0 Update 12 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120} Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0} mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A} mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A} mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49} mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B} Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe" Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7} Microsoft Picture It! Premium 10 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} Microsoft Streets and Trips 2005 --> MsiExec.exe /I{67E4EE98-59F4-4210-89A6-A20AF5BEC689} Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe" Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9} Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44} Microsoft Works 2005 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2005\Setup\Launcher.exe /ARP D:\ Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5} mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F} mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626} mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7} mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5} mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5} mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9} mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83} MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP MSN SideGuide --> MsiExec.exe /X{3C0CD2A4-75C0-4B85-8DC9-7D72BC700D3C} mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB} mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC} MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4} mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401} mZConfig --> MsiExec.exe /I{7CD7A451-7224-49C8-95EF-9A1859C66607} Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0} OnDemand5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F7DFDFA-27B3-4E06-BCDE-B371424C0032}\setup.exe" -l0x9 PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe Penguin Puzzle --> C:\PROGRA~1\eGames\PENGUI~1\UNWISE.EXE C:\PROGRA~1\eGames\PENGUI~1\INSTALL.LOG Pirates of Treasure Island --> C:\PROGRA~1\eGames\PIRATE~1\UNWISE.EXE C:\PROGRA~1\eGames\PIRATE~1\INSTALL.LOG PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA} QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0 Registry Mechanic --> "C:\Program Files\Registry Mechanic\unins000.exe" Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} Risk® --> C:\PROGRA~1\SHOCKW~1.COM\Risk\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\Risk\INSTALL.LOG Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82} SmartSound Quicktracks for Premiere 6.5 --> C:\WINDOWS\unvise32.exe C:\Program Files\Adobe\Premiere 6.5\Plug-ins\SmartSound\uninstal.log Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6} Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29} Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19} Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3} Sunbelt Personal Firewall --> MsiExec.exe /X{BFD080F6-3BF0-40E1-9507-9CA969C35870} TC Native Essentials 2.02 --> C:\PROGRA~1\TCWorks\TCNativeEssentials202\UninstallTCEssentials.exe C:\PROGRA~1\TCWorks\TCNativeEssentials202\INSTALL.LOG TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F} TurboTax Premier 2007 --> C:\Program Files\TurboTax\Premier 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2007\Uninstall.log" -NoGui TurboTax Premier Investments 2006 --> C:\Program Files\TurboTax\Premier 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2006\Uninstall.log" -NoGui Virtual Villagers: The Lost Children --> C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~2\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~2\INSTALL.LOG Virtual Villagers® - The Secret City --> C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~1\INSTALL.LOG Westward II: Heroes of the Frontier™ --> C:\PROGRA~1\SHOCKW~1.COM\WESTWA~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\WESTWA~1\INSTALL.LOG WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401} Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe" WinReplay --> MsiExec.exe /I{0C4D367E-FF3A-4668-83EF-D2AD968BB3C0} Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe -- Application Event Log ------------------------------------------------------- Event Record #/Type559 / Error Event Submitted/Written: 05/30/2008 01:28:40 PM Event ID/Source: 1002 / Application Hang Event Description: Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type552 / Error Event Submitted/Written: 05/30/2008 10:50:31 AM Event ID/Source: 100 / AVG7 Event Description: 2008-05-30 16:50:31,531 MIKE [000672:000680] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1664) call failed with WIN32 error 87, returning session id is 0 Event Record #/Type540 / Error Event Submitted/Written: 05/30/2008 07:22:21 AM Event ID/Source: 1002 / Application Hang Event Description: Hanging application xpa.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000. Event Record #/Type539 / Error Event Submitted/Written: 05/30/2008 06:48:41 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module mcspmpeg.ax, version 1.0.0.29, fault address 0x000066b2. Processing media-specific event for [wmplayer.exe!ws!] Event Record #/Type538 / Error Event Submitted/Written: 05/30/2008 06:37:13 AM Event ID/Source: 1000 / Application Error Event Description: Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module mcspmpeg.ax, version 1.0.0.29, fault address 0x000066b2. Processing media-specific event for [wmplayer.exe!ws!] -- Security Event Log ---------------------------------------------------------- No Errors/Warnings found. -- System Event Log ------------------------------------------------------------ Event Record #/Type12296 / Warning Event Submitted/Written: 05/30/2008 10:29:40 PM Event ID/Source: 3004 / WinDefend Event Description: %MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow. For more information please see the following: %MIKE275 Scan ID: {DE717F2F-CA6B-4333-9654-B4F0123C925E} User: MIKE\Mike Name: %MIKE271 ID: %MIKE272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %MIKE276 Alert Type: %MIKE278 Detection Type: 1.1.1593.02 Event Record #/Type12295 / Warning Event Submitted/Written: 05/30/2008 10:29:40 PM Event ID/Source: 3004 / WinDefend Event Description: %MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow. For more information please see the following: %MIKE275 Scan ID: {129EC608-5124-42EE-BFDC-90085D82A9E8} User: MIKE\Mike Name: %MIKE271 ID: %MIKE272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %MIKE276 Alert Type: %MIKE278 Detection Type: 1.1.1593.02 Event Record #/Type12294 / Warning Event Submitted/Written: 05/30/2008 10:29:40 PM Event ID/Source: 3004 / WinDefend Event Description: %MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow. For more information please see the following: %MIKE275 Scan ID: {B5EAB7BB-2A7B-4539-87B1-2AD3FDD4C46F} User: MIKE\Mike Name: %MIKE271 ID: %MIKE272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %MIKE276 Alert Type: %MIKE278 Detection Type: 1.1.1593.02 Event Record #/Type12293 / Warning Event Submitted/Written: 05/30/2008 10:29:38 PM Event ID/Source: 3004 / WinDefend Event Description: %MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow. For more information please see the following: %MIKE275 Scan ID: {BC45EEA3-88F1-4F3D-98F3-4505F097D04E} User: MIKE\Mike Name: %MIKE271 ID: %MIKE272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %MIKE276 Alert Type: %MIKE278 Detection Type: 1.1.1593.02 Event Record #/Type12292 / Warning Event Submitted/Written: 05/30/2008 10:29:38 PM Event ID/Source: 3004 / WinDefend Event Description: %MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow. For more information please see the following: %MIKE275 Scan ID: {C3928D78-6850-46A3-9550-4C3B7A76B9BA} User: MIKE\Mike Name: %MIKE271 ID: %MIKE272 Severity: 1.1.1593.05 Category: 1.1.1593.06 Path Found: %MIKE276 Alert Type: %MIKE278 Detection Type: 1.1.1593.02 -- End of Deckard's System Scanner: finished at 2008-05-30 22:31:17 ------------ Deckard's System Scanner v20071014.68 Run by Mike on 2008-05-30 22:26:44 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 77: 2008-05-31 04:26:55 UTC - RP145 - Deckard's System Scanner Restore Point 76: 2008-05-31 00:18:55 UTC - RP144 - Windows Defender Checkpoint 75: 2008-05-31 00:02:29 UTC - RP143 - Software Distribution Service 3.0 74: 2008-05-30 16:57:13 UTC - RP142 - Software Distribution Service 3.0 73: 2008-05-30 16:49:26 UTC - RP141 - Software Distribution Service 3.0 -- First Restore Point -- 1: 2008-05-26 15:17:02 UTC - RP69 - System Checkpoint Backed up registry hives. Performed disk cleanup. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-05-30 22:29:17 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe C:\WINDOWS\explorer.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Grisoft\AVG7\avgupsvc.exe C:\Program Files\Grisoft\AVG7\avgemc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Alwil Software\Avast4\ashDisp.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\ApntEx.exe C:\Program Files\Apoint\hidfind.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Computer Cleaners\Virus Checkers\Deckard's system scanner.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {4647C2C7-9F3D-4220-87D9-43E617F67478} - C:\WINDOWS\system32\ddcBuRlI.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O15 - Trusted Zone: https://ameritrade.com (HKCU) O15 - Trusted Zone: https://tdameritrade.com (HKCU) O15 - Trusted Zone: https://turbotax.com (HKCU) O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll O20 - Winlogon Notify: ddcBuRlI - C:\WINDOWS\system32\ddcBuRlI.dll O20 - Winlogon Notify: nnnLDvuT - C:\WINDOWS\system32\nnnLDvuT.dll (file missing) O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: ATM Service (ATMsrvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\ATMsrvc.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm -- End of file - 6035 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver> R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3> R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver> R3 catchme - c:\docume~1\mike\locals~1\temp\catchme.sys (file missing) R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell> S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller> S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing) -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module> R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service> S4 ATMsrvc (ATM Service) - c:\windows\system32\atmsrvc.exe <Not Verified; Adobe Systems Incorporated; Adobe Type Manager> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318} Description: Broadcom 440x 10/100 Integrated Controller Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0 Manufacturer: Broadcom Name: Broadcom 440x 10/100 Integrated Controller PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0 Service: bcm4sbxp Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318} Description: PCI Modem Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3 Manufacturer: Name: PCI Modem PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3 Service: -- Scheduled Tasks ------------------------------------------------------------- 2008-05-30 21:54:46 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job -- Files created between 2008-04-30 and 2008-05-30 ----------------------------- 2008-05-30 20:26:33 324864 --a------ C:\WINDOWS\system32\pmnllIcd.dll 2008-05-30 19:26:35 324864 --a------ C:\WINDOWS\system32\pmnmnKCV.dll 2008-05-30 06:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\SeekmoSA 2008-05-30 06:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 2008-05-30 06:27:25 0 d-------- C:\Documents and Settings\Mike\Application Data\Seekmo 2008-05-30 06:19:18 33920 --a------ C:\WINDOWS\system32\ddcBuRlI.dll 2008-05-30 02:32:18 0 dr-h----- C:\Documents and Settings\Mike\Recent 2008-05-29 20:15:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games 2008-05-28 20:15:13 4096 --a------ C:\WINDOWS\d3dx.dat 2008-05-28 18:52:06 0 d-------- C:\Program Files\Shockwave.com 2008-05-28 03:42:23 0 d--h----- C:\WINDOWS\system32\WLANProfiles 2008-05-28 03:42:23 0 d--h----- C:\Settings 2008-05-28 00:29:13 0 d-------- C:\WINDOWS\system32\Virus Stuff 2008-05-27 12:48:17 0 d-------- C:\!Submit 2008-05-27 11:01:39 0 d-------- C:\WINDOWS\ERUNT 2008-05-27 08:46:14 0 d-------- C:\Program Files\Antivirus2008 2008-05-27 02:36:33 0 d-------- C:\Program Files\ACW 2008-05-27 02:34:32 614734 --ahs---- C:\WINDOWS\system32\stEKUvut.ini2 2008-05-27 00:06:18 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\Intuit 2008-05-27 00:05:38 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\Real 2008-05-27 00:05:24 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\TmpRecentIcons 2008-05-27 00:04:04 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\Identities 2008-05-26 19:46:54 0 d-------- C:\Program Files\Windows Defender 2008-05-26 18:55:15 0 d-------- C:\Program Files\Microsoft AntiSpyware 2008-05-26 18:54:35 0 d-------- C:\WINDOWS\Downloaded Installations 2008-05-26 12:15:59 0 d--h----- C:\WINDOWS\system32\GroupPolicy 2008-05-26 12:15:59 0 d-------- C:\Documents and Settings\Mike\Application Data\TmpRecentIcons 2008-05-26 09:20:17 0 dr-h----- C:\$VAULT$.AVG 2008-05-26 09:16:49 634469 --ahs---- C:\WINDOWS\system32\MloXwGgh.ini2 2008-05-26 08:09:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited 2008-05-23 20:29:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Hot Lava Games 2008-05-23 20:12:16 0 d-------- C:\Documents and Settings\Mike\Application Data\Yahoo! 2008-05-23 20:12:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-05-23 20:11:41 0 d-------- C:\Program Files\Yahoo! 2008-05-04 13:25:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix 2008-05-04 13:21:20 0 d-------- C:\Program Files\Citrix 2008-05-03 14:49:55 0 d--hs---- C:\WINDOWS\CSC 2008-05-03 14:40:40 0 d-------- C:\WINDOWS\pss 2008-05-01 11:03:43 0 d-------- C:\Program Files\Apoint -- Find3M Report --------------------------------------------------------------- 2008-05-30 01:55:08 0 d-------- C:\Documents and Settings\Mike\Application Data\AVG7 2008-05-30 00:48:57 0 d--h----- C:\Documents and Settings\Mike\Application Data\Skype 2008-05-30 00:04:43 0 d-------- C:\Documents and Settings\Mike\Application Data\skypePM 2008-05-29 02:31:33 0 d--h----- C:\Documents and Settings\Mike\Application Data\Adobe 2008-05-28 19:58:59 0 d-------- C:\Documents and Settings\Mike\Application Data\iWin 2008-05-26 09:25:50 0 d-------- C:\Program Files\Common Files 2008-05-23 21:09:17 0 d-------- C:\Program Files\GameHouse 2008-05-01 11:03:43 0 d--h----- C:\Program Files\InstallShield Installation Information 2008-04-28 11:55:18 0 d-------- C:\Program Files\InterActual 2008-04-23 17:12:35 0 d-------- C:\Program Files\Lavalys 2008-04-07 17:38:58 12288 --a------ C:\Documents and Settings\Mike\Application Data\plugcach.fon 2008-04-03 12:47:21 0 d-------- C:\Program Files\ItsDeductible2006 2008-04-03 12:46:28 0 d-------- C:\Program Files\Quicken 2008-04-03 12:43:56 0 d-------- C:\Program Files\TurboTax 2008-04-03 12:43:32 0 d-------- C:\Documents and Settings\Mike\Application Data\InstallShield 2008-04-03 12:17:43 0 d-------- C:\Documents and Settings\Mike\Application Data\Intuit 2008-04-02 15:20:08 0 d-------- C:\Program Files\Common Files\Skype 2008-04-02 11:59:49 0 d--h----- C:\Documents and Settings\Mike\Application Data\Real 2008-03-03 09:29:05 6122874 -rahs---- C:\AVG7DB_F.DAT -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4647C2C7-9F3D-4220-87D9-43E617F67478}] 05/30/2008 06:19 AM 33920 --a------ C:\WINDOWS\system32\ddcBuRlI.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 04:49 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 04:46 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 04:50 PM] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [07/22/2005 11:46 PM] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [07/22/2005 11:47 PM] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 02:13 PM] "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 05:19 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "StartMenuLogoff"=1 (0x1) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= file:///C:\WINDOWS\privacy_danger\index.htm FriendlyName= Privacy Protection [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{4647C2C7-9F3D-4220-87D9-43E617F67478}"= C:\WINDOWS\system32\ddcBuRlI.dll [05/30/2008 06:19 AM 33920] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBuRlI] ddcBuRlI.dll 05/30/2008 06:19 AM 33920 C:\WINDOWS\system32\ddcBuRlI.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 05/04/2008 01:15 PM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/22/2005 11:46 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLDvuT] nnnLDvuT.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGwXolM [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "IDriverT"=3 (0x3) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" "mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe "AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP "dla"=C:\WINDOWS\system32\dla\tfswctrl.exe -- End of Deckard's System Scanner: finished at 2008-05-30 22:31:17 ------------ Logfile of HijackThis v1.97.7 Scan saved at 09:13:26 AM, on 5/31/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Windows Defender\MSASCui.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Computer Cleaners\HijackThis1.9707.exe C:\Program Files\Grisoft\AVG7\avgwb.dat C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {4647C2C7-9F3D-4220-87D9-43E617F67478} - C:\WINDOWS\system32\ddcBuRlI.dll O2 - BHO: (no name) - {EF889FB8-2860-48C6-9A1C-E10D674D191F} - C:\WINDOWS\system32\cbXOGVmm.dll (file missing) O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: Skype (HKLM) O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab |
 |
 
|
|
Jun 2 2008, 04:49 AM
Post
#2
|
|
 Forum Addict Group: Malware Response Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Hello Mikesa and welcome to BleepingComputer,
1. * Clean your Cache and Cookies in IE:
Doubleclick mbam-setup.exe to install the application.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. 3. Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/combofix/how-to-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you . In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial. It must be saved directly to your desktop. Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze. Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply.  If you have any questions along the way, STOP and ask them before proceeding !! Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------  - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted -->  <-- And make a difference |
|
|
|
|
Jun 2 2008, 10:38 AM
Post
#3
|
|
|
New Member Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268 |
Quick note cleanmgr did not appear to work...no prompts after hitting enter
ms Malware does not appear to be working either...I tried run and then save- then run and unless it is running in the background nothing happened. This post has been edited by mikesa: Jun 2 2008, 10:46 AM |
|
|
|
|
Jun 2 2008, 12:07 PM
Post
#4
|
|
|
New Member Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268 |
Thunder
I restarted the computer and then Cleanmgr and Malware worked...here is the malware post...I cannot download the hijackthis as I cannot get it into my c:programs\hijackthis file as the prompts only allow C: (then three document files- no access to C:programs) That is the most annoying problem at the time...although it is available in Explore. Thanks for all the help...unfortunately I am leaving for Montana momentarily and might be away from computer for a couple of days...will get back to this log as soon as possible. ms Malwarebytes' Anti-Malware 1.12 Database version: 722 Scan type: Quick Scan Objects scanned: 41078 Time elapsed: 7 minute(s), 0 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 71 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 11 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\ddcBuRlI.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_CLASSES_ROOT\Interface\{00b77587-be1b-4201-b8e9-09fcf50ab771} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{067c6a37-72ea-4437-863a-5be20c246f3c} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{5a4737a8-b92a-4e54-970e-c2891d98ce3f} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ace99e77-aa2a-43c2-8c9d-caf2020fdf2b} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e0fb1610-b25b-49f6-be20-751b2f230e6f} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{087c4054-0a2b-4f35-b0db-bed3e21650f4} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1a2af056-1fe1-47ca-993d-5d09d18e674e} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{b247f5bf-bd9d-4ecd-8fc1-365f36a1fda1} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{bbbfb891-98ae-4678-86f3-bd5a2eed86c9} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{bf1bf02c-5a86-4ecf-adac-472c54c4d21e} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ea0b6a1a-6a59-4a58-9c41-9966504898a5} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\clientax.requiredcomponent.1 (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\clientax.clientinstaller.1 (Adware.180Solutions) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\seekmo.desktopflash (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\seekmo.desktopflash.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\seekmoax.clientdetector (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\seekmoax.clientdetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\seekmoax.userprofiles (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\seekmoax.userprofiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{bd5258af-20ae-4bd3-b748-b2851aca7335} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{995e885e-3ff5-4f66-a107-8bfb3a0f8f12} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{fbb40fdf-b715-4342-ab82-244ecc66e979} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\{4a40e8fc-c7e4-4f57-9fa4-85dd77402897} (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{4647c2c7-9f3d-4220-87d9-43e617f67478} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4647c2c7-9f3d-4220-87d9-43e617f67478} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcburli (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4647c2c7-9f3d-4220-87d9-43e617f67478} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully. C:\Documents and Settings\Mike\Application Data\Seekmo (AdWare.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Mike\Application Data\Seekmo\IESkins (AdWare.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0 (AdWare.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0\Seekmo (AdWare.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0\Seekmo\dynamic (AdWare.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0\Seekmo\static (AdWare.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\SeekmoSA (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEULA.mht (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk (Adware.Seekmo) -> Quarantined and deleted successfully. C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk (Adware.Seekmo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ddcBuRlI.dll (Trojan.Vundo) -> Delete on reboot. I think this last dll was the main problem as it came on at the outset I just could not touch it... ms |
|
|
|
|
Jun 2 2008, 01:06 PM
Post
#5
|
|
|
Forum Addict Group: Malware Response Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
You're probably right, Mikesa
Can you run ComboFix and post that log as well, please ? (if necessary run it in safe mode) Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jun 4 2008, 06:33 PM
Post
#6
|
|
|
New Member Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268 |
Thunder,
Ran the Combofix...wow what a program...seems to have fixed everything. I have my "My Computer" info back- shows the harddrives and other things.Here is the Combofix log... ComboFix 08-06-04.1 - Mike 2008-06-04 16:58:58.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.774 [GMT -6:00] Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Mike\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Program Files\Antivirus2008 C:\smp.bat C:\WINDOWS\cookies.ini C:\WINDOWS\regedit.com C:\WINDOWS\system32\jrluprfa.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\MloXwGgh.ini C:\WINDOWS\system32\MloXwGgh.ini2 C:\WINDOWS\system32\mmVGOXbc.ini C:\WINDOWS\system32\mmVGOXbc.ini2 C:\WINDOWS\system32\oedbyijf.ini C:\WINDOWS\system32\stEKUvut.ini C:\WINDOWS\system32\stEKUvut.ini2 C:\WINDOWS\system32\taskmgr.com C:\WINDOWS\system32\xaksmvat.ini C:\WINDOWS\system32\xqauginy.ini C:\WINDOWS\system32\yeghpoji.ini . ((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 ))))))))))))))))))))))))))))))) . 2008-06-02 10:58 . 2008-06-02 10:58 <DIR> d-------- C:\Program Files\Hijack This 2008-06-02 10:25 . 2008-06-02 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes 2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-02 10:25 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-02 10:25 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-31 20:37 . 2008-05-31 20:43 <DIR> d-------- C:\Program Files\RealArcade 2008-05-31 18:40 . 2008-05-31 18:41 <DIR> d-------- C:\Program Files\Registrar Lite 2008-05-31 18:32 . 2008-06-04 16:54 8,224 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-30 22:26 . 2008-05-30 22:26 <DIR> d-------- C:\Deckard 2008-05-29 20:15 . 2008-05-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games 2008-05-28 20:15 . 2008-05-28 20:15 4,096 --a------ C:\WINDOWS\d3dx.dat 2008-05-28 18:52 . 2008-05-29 20:14 <DIR> d-------- C:\Program Files\Shockwave.com 2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\WINDOWS\system32\WLANProfiles 2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\Settings 2008-05-28 03:42 . 2008-05-28 03:42 516 --a------ C:\Settings.ini 2008-05-28 00:29 . 2008-05-30 23:23 <DIR> d-------- C:\WINDOWS\system32\Virus Stuff 2008-05-27 12:48 . 2008-05-27 12:48 <DIR> d-------- C:\!Submit 2008-05-27 11:01 . 2008-05-27 11:01 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-27 02:36 . 2008-05-27 02:36 <DIR> d-------- C:\Program Files\ACW 2008-05-27 00:06 . 2008-05-27 00:06 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\Intuit 2008-05-27 00:05 . 2008-05-27 00:05 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\TmpRecentIcons 2008-05-26 19:46 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Windows Defender 2008-05-26 18:55 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware 2008-05-26 18:54 . 2008-05-26 18:54 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-05-26 12:15 . 2008-05-26 12:15 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-05-26 11:50 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl 2008-05-26 09:20 . 2008-05-31 09:42 <DIR> dr-h----- C:\$VAULT$.AVG 2008-05-23 20:29 . 2008-05-23 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hot Lava Games 2008-05-23 20:12 . 2008-05-23 20:12 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Yahoo! 2008-05-23 20:12 . 2008-05-28 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-05-23 20:11 . 2008-05-23 20:11 <DIR> d-------- C:\Program Files\Yahoo! 2008-05-04 13:25 . 2008-05-04 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix 2008-05-04 13:21 . 2008-05-04 13:21 <DIR> d-------- C:\Program Files\Citrix . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-04 23:10 12,376 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err 2008-06-04 22:41 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7 2008-06-04 22:23 --------- d--h--w C:\Documents and Settings\Mike\Application Data\Skype 2008-06-04 22:21 --------- d-----w C:\Documents and Settings\Mike\Application Data\skypePM 2008-05-31 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7 2008-05-30 02:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-29 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2008-05-29 01:58 --------- d-----w C:\Documents and Settings\Mike\Application Data\iWin 2008-05-24 03:09 --------- d-----w C:\Program Files\GameHouse 2008-05-01 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-01 17:03 --------- d-----w C:\Program Files\Apoint 2008-04-28 17:55 --------- d-----w C:\Program Files\InterActual 2008-04-23 23:12 --------- d-----w C:\Program Files\Lavalys 2008-04-02 21:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-01-01 02:11 6,186 ---ha-w C:\Documents and Settings\Mike\Application Data\wklnhst.dat 2007-12-18 20:28 63,704 ---ha-w C:\Documents and Settings\Mike\Application Data\GDIPFONTCACHEV1.DAT 2007-11-04 21:01 32 ----a-r C:\Documents and Settings\All Users\hash.dat . CODE <pre> ----a-r 1,547,688 2005-10-21 05:13:26 C:\Documents and Settings\Mike\Desktop\DAD\Computer Programs\guitar chord .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF889FB8-2860-48C6-9A1C-E10D674D191F}] C:\WINDOWS\system32\cbXOGVmm.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 16:49 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 16:46 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 16:50 114688] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 23:46 401408] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 23:47 385024] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:44 185896] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist] C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2008-05-04 13:15 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 23:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLDvuT] nnnLDvuT.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-12-27 10:44 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "IDriverT"=3 (0x3) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" "mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe "AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP "dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20] R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 11:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 11:21] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 11:21] S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service [] . Contents of the 'Scheduled Tasks' folder "2008-06-04 23:10:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-04 17:09:32 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Apoint\hidfind.exe C:\Program Files\Apoint\ApntEx.exe C:\Program Files\Real\RealPlayer\realplay.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\imapi.exe . ************************************************************************** . Completion time: 2008-06-04 17:15:48 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-04 23:15:32 Pre-Run: 21,733,347,328 bytes free Post-Run: 21,716,725,760 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons 201 --- E O F --- 2008-05-30 16:58:05 Here is the Hijackthis 2.0 log  Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 05:26:39 PM, on 6/4/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Apoint\HidFind.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: (no name) - {EF889FB8-2860-48C6-9A1C-E10D674D191F} - C:\WINDOWS\system32\cbXOGVmm.dll (file missing)  O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...i586-p-iftw.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll O20 - Winlogon Notify: nnnLDvuT - nnnLDvuT.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 5823 bytes Still have questions about that extra BHO but everything appears to be working...l Will wait for your reply- Thanks again... ms |
|
|
|
|
Jun 6 2008, 04:27 AM
Post
#7
|
|
|
Forum Addict Group: Malware Response Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Hello Mikesa,
Let's clean up some more : Open Notepad - don't use any other texteditor than Notepad or the script will fail ! Copy/paste the bold text (content only, not the code tags !) below into an empty notepad window: CODE RenV:: Save this as txtfile CFScript C:\Documents and Settings\Mike\Desktop\DAD\Computer Programs\guitar chord .exe Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF889FB8-2860-48C6-9A1C-E10D674D191F}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLDvuT] Then drag the CFScript into ComboFix.exe as you see in the screenshot below.  This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog. Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java:
Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jun 6 2008, 03:18 PM
Post
#8
|
|
|
New Member Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268 |
Yes Thunder still having problems...they came back today just prior to checking your last instructions...
The computer is running extremely slow and lost my Task Manager again. Ran Combo again and it fixed the TM but still runs slow here is the log after running your script ComboFix 08-06-04.1 - Mike 2008-06-06 11:44:33.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.765 [GMT -6:00] Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))) . 2008-06-04 17:26 . 2008-06-04 17:26 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-02 10:58 . 2008-06-04 17:24 <DIR> d-------- C:\Program Files\Hijack This 2008-06-02 10:25 . 2008-06-02 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes 2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-02 10:25 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-02 10:25 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-05-31 20:37 . 2008-05-31 20:43 <DIR> d-------- C:\Program Files\RealArcade 2008-05-31 18:40 . 2008-05-31 18:41 <DIR> d-------- C:\Program Files\Registrar Lite 2008-05-31 18:32 . 2008-06-06 09:17 8,224 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT 2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab 2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-05-30 22:26 . 2008-05-30 22:26 <DIR> d-------- C:\Deckard 2008-05-29 20:15 . 2008-05-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games 2008-05-28 20:15 . 2008-05-28 20:15 4,096 --a------ C:\WINDOWS\d3dx.dat 2008-05-28 18:52 . 2008-05-29 20:14 <DIR> d-------- C:\Program Files\Shockwave.com 2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\WINDOWS\system32\WLANProfiles 2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\Settings 2008-05-28 03:42 . 2008-05-28 03:42 516 --a------ C:\Settings.ini 2008-05-28 00:29 . 2008-05-30 23:23 <DIR> d-------- C:\WINDOWS\system32\Virus Stuff 2008-05-27 12:48 . 2008-05-27 12:48 <DIR> d-------- C:\!Submit 2008-05-27 11:01 . 2008-05-27 11:01 <DIR> d-------- C:\WINDOWS\ERUNT 2008-05-27 02:36 . 2008-05-27 02:36 <DIR> d-------- C:\Program Files\ACW 2008-05-27 00:06 . 2008-05-27 00:06 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\Intuit 2008-05-27 00:05 . 2008-05-27 00:05 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\TmpRecentIcons 2008-05-26 19:46 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Windows Defender 2008-05-26 18:55 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware 2008-05-26 18:54 . 2008-05-26 18:54 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-05-26 12:15 . 2008-05-26 12:15 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-05-26 11:50 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl 2008-05-26 09:20 . 2008-05-31 09:42 <DIR> dr-h----- C:\$VAULT$.AVG 2008-05-23 20:29 . 2008-05-23 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hot Lava Games 2008-05-23 20:12 . 2008-05-23 20:12 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Yahoo! 2008-05-23 20:12 . 2008-05-28 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2008-05-23 20:11 . 2008-05-23 20:11 <DIR> d-------- C:\Program Files\Yahoo! . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-06 15:20 12,766 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err 2008-06-06 06:07 --------- d--h--w C:\Documents and Settings\Mike\Application Data\Skype 2008-06-06 06:04 --------- d-----w C:\Documents and Settings\Mike\Application Data\skypePM 2008-06-04 22:41 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7 2008-05-31 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7 2008-05-30 02:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-05-29 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7 2008-05-29 01:58 --------- d-----w C:\Documents and Settings\Mike\Application Data\iWin 2008-05-24 03:09 --------- d-----w C:\Program Files\GameHouse 2008-05-04 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix 2008-05-04 19:21 --------- d-----w C:\Program Files\Citrix 2008-05-01 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-01 17:03 --------- d-----w C:\Program Files\Apoint 2008-04-28 17:55 --------- d-----w C:\Program Files\InterActual 2008-04-23 23:12 --------- d-----w C:\Program Files\Lavalys 2008-04-02 21:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-01-01 02:11 6,186 ---ha-w C:\Documents and Settings\Mike\Application Data\wklnhst.dat 2007-12-18 20:28 63,704 ---ha-w C:\Documents and Settings\Mike\Application Data\GDIPFONTCACHEV1.DAT 2007-11-04 21:01 32 ----a-r C:\Documents and Settings\All Users\hash.dat . ((((((((((((((((((((((((((((( snapshot@2008-06-04_17.13.55.45 ))))))))))))))))))))))))))))))))))))))))) . - 2008-06-04 23:07:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat + 2008-06-06 17:19:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat - 2008-05-31 03:36:35 5,427,200 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT + 2008-06-06 17:12:03 5,427,200 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT - 2008-05-31 03:36:35 327,680 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-06-06 17:12:03 327,680 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-06-06 17:19:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_108.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 16:49 94208] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 16:46 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 16:50 114688] "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 23:46 401408] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 23:47 385024] "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:44 185896] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 23:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-12-27 10:44 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WMPNetworkSvc"=3 (0x3) "IDriverT"=3 (0x3) "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r "PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" "mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot "NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe "AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe "AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP "dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"= "C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"= "C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20] R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 11:21] R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 11:21] R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16] R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 11:21] S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service [] . Contents of the 'Scheduled Tasks' folder "2008-06-06 17:22:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job" - C:\Program Files\Windows Defender\MpCmdRun.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-06 11:50:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-06-06 11:53:55 ComboFix-quarantined-files.txt 2008-06-06 17:53:44 ComboFix2.txt 2008-06-06 16:41:05 ComboFix3.txt 2008-06-04 23:15:52 Pre-Run: 21,547,077,632 bytes free Post-Run: 21,535,055,872 bytes free 152 --- E O F --- 2008-06-06 15:20:31 Here is the Hijackthis log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:15:32 PM, on 6/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\Apoint\HidFind.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\Program Files\internet explorer\iexplore.exe C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Backup Zip Files\HiJackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 5022 bytes Any Idea's...Thanks for all the work. |
|
|
|
|
Jun 6 2008, 03:40 PM
Post
#9
|
|
|
New Member Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268 |
Also tried to delete Java's but there were none listed in Add/Remove programs...
did a search and did not find any. I did have one disabled in IE manage add/ons but could not remove it...anything else I should try? ms |
|
|
|
|
Jun 6 2008, 05:36 PM
Post
#10
|
|
|
Forum Addict Group: Malware Response Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Hello Mike,
Can you tell me if you created these folders yourself ? : C:\WINDOWS\system32\Virus Stuff and C\!Submit Your logs no longer show any active malware anymore You can remove all used tools and folders created in the process. To remove ComboFix : Go to Start > Run, and copy and paste next command in the field:
Then press Enter. Please read this Prevention page with lots of info and tips how to prevent this in the future. And if you want to improve speed/system performance after malware removal, take a look here. Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jun 6 2008, 07:26 PM
Post
#11
|
|
|
New Member Group: Members Posts: 8 Joined: 28-May 08 Member No.: 212,268 |
Thunder I did create the Virus Stuff to change locations of suspected files but he C:!Submit I know nothing about.
Will delete combo fix now and get back to you if there are any problems...the only one I know about now is that the internet no matter what page seems to lock up and the touchpad mouse seems to not work often...I back out with alt/(back arrow) and then go back in and it will work for a while then it locks up. I have stopped all the addon things I can think of...will run my virus checkers to see if they catch anything... Thanks and will get back to you. ms |
|
|
|
|
Jun 7 2008, 05:18 AM
Post
#12
|
|
|
Forum Addict Group: Malware Response Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Fine, Mikesa
I'll keep an eye out for you reply. Greetings, Thunder -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
Jul 4 2008, 05:29 PM
Post
#13
|
|
|
Forum Addict Group: Malware Response Team Posts: 3,294 Joined: 12-December 05 From: Belgium Member No.: 44,294 |
Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Whatever happens, make believe it was intended to ...
----------------------------------------------------------------------- - If I have helped you in any way, please consider a donation to help me continue the fight against malware.----------------------------------------------------------------------- Stand Up & Be Counted --> <-- And make a difference |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st March 2010 - 07:14 AM |
© 2003-2010 All Rights Reserved Bleeping Computer LLC.