Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

That Annoying Win32:vundo@dll


  • This topic is locked This topic is locked
12 replies to this topic

#1 mikesa

mikesa

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 31 May 2008 - 11:52 PM

I am having much the same problem as "Need Help Getting Rid Of Win32:vundo@dll [trj]" with more annoyances
I lose the use of task manager -Admin removed privileges- (I'm admin)
My Computer icon only list documents .
System slows.
Numerous viruses caught and deleted but they reinstall and I cannot remove the BHO which Hijackthis says is being so helpful.

here are the logs
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.60GHz
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 1271.37 MiB / 751.77 MiB
Pagefile Memory (total/avail): 3031.3 MiB / 2562.63 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1923.98 MiB

C: is Fixed (NTFS) - 74.52 GiB total, 20.42 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK8026GAX - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.52 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Sunbelt Personal Firewall v4.5.916 T (Sunbelt) Disabled
AV: AVG 7.5.524 v7.5.524 (Grisoft)
AV: avast! antivirus 4.8.1201 [VPS 080530-0] v4.8.1201 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Premier 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mike\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MIKE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mike
LOGONSERVER=\\MIKE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\COMMON~1\SONICS~1\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mike\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mike\LOCALS~1\Temp
USERDOMAIN=MIKE
USERNAME=Mike
USERPROFILE=C:\Documents and Settings\Mike
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Mike (admin)
Joel (admin)
LeeAnn
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe MPEG Encoder --> MsiExec.exe /I{9811A185-3D3D-11D6-9E14-00036D172B00}
Adobe Premiere 6.5 --> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Premiere 6.5\DeIsL1.isu" -c"C:\Program Files\Adobe\Premiere 6.5\Uninst.dll"
Adobe Shockwave Player 11 --> C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Manager 4.1 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\Adobe Type Manager\DeIsL1.isu" -c"C:\Program Files\Adobe Type Manager\UNINST.DLL"
Advanced RealMedia Export Plug-in for Premiere 6.0 --> C:\Program Files\Adobe\Premiere 6.5\Plug-ins\RNCompiler\rnuninst.exe RealNetworks|RNCompiler|6.0
Alien Shooter --> MsiExec.exe /X{C652A4A8-B82C-43C4-86AA-3753CDACFF3F}
ALPS Touch Pad Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}\setup.exe" UNINSTALL
AnswerWorks 4.0 Runtime - English --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
Boggle® --> C:\PROGRA~1\SHOCKW~1.COM\Boggle\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\Boggle\INSTALL.LOG
Broadcom 440x 10/100 Integrated Controller --> MsiExec.exe /X{9C9D0F85-5658-4A5E-95A9-65F7DB2916EE}
C-Major Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Camp Funshine: Carrie the Caregiver 3 --> C:\PROGRA~1\SHOCKW~1.COM\CAMPFU~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\CAMPFU~1\INSTALL.LOG
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Confidence Online Portal Edition for Ameritrade --> rundll32 url.dll,FileProtocolHandler C:\Documents and Settings\Mike\Application Data\WholeSecurity\CAT\UninstallPE.html
Dell Digital Jukebox Driver --> C:\Program Files\Dell\Digital Jukebox Drivers\DrvUnins.exe /s
Drop 2 --> C:\PROGRA~1\eGames\DROP2~1\UNWISE.EXE C:\PROGRA~1\eGames\DROP2~1\INSTALL.LOG
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
DVDit! LE --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24D221-448E-11D4-A499-0050DA6E827C}\Setup.exe" -L0x9
eGames GameButler --> C:\PROGRA~1\eGames\GAMEBU~1\UNWISE.EXE C:\PROGRA~1\eGames\GAMEBU~1\INSTALL.LOG
EVEREST Ultimate Edition v2.20 --> "C:\Program Files\Lavalys\EVEREST Ultimate Edition\unins000.exe"
Flipster Twin Pack --> C:\PROGRA~1\eGames\FLIPST~1\UNWISE.EXE C:\PROGRA~1\eGames\FLIPST~1\INSTALL.LOG
Generic LT Soft --> MsiExec.exe /I{E886B505-E8EE-4074-8FEF-FE6A062C1C7F}
Glary Utilities 2.2.1.63 --> "C:\Program Files\Glary Utilities\unins000.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
GoToAssist 8.0.0.480 --> C:\Program Files\Citrix\GoToAssist\480\G2AUninstaller.exe /uninstall
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Backup Zip Files\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
J2SE Runtime Environment 5.0 Update 12 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150120}
Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}
mCore --> MsiExec.exe /I{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}
mDriver --> MsiExec.exe /I{28DA872A-0848-48CF-B749-19A198157A2A}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mHlpDell --> MsiExec.exe /I{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Picture It! Premium 10 --> "C:\Program Files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe" ADDREMOVE=1 SKU=PREM
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Streets and Trips 2005 --> MsiExec.exe /I{67E4EE98-59F4-4210-89A6-A20AF5BEC689}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Microsoft Works 2005 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2005\Setup\Launcher.exe /ARP D:\
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mIWCA --> MsiExec.exe /I{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
MSN SideGuide --> MsiExec.exe /X{3C0CD2A4-75C0-4B85-8DC9-7D72BC700D3C}
mSSO --> MsiExec.exe /I{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}
mToolkit --> MsiExec.exe /I{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{7CD7A451-7224-49C8-95EF-9A1859C66607}
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
OnDemand5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5F7DFDFA-27B3-4E06-BCDE-B371424C0032}\setup.exe" -l0x9
PCFriendly --> C:\Program Files\PCFriendly\inuninst.exe
Penguin Puzzle --> C:\PROGRA~1\eGames\PENGUI~1\UNWISE.EXE C:\PROGRA~1\eGames\PENGUI~1\INSTALL.LOG
Pirates of Treasure Island --> C:\PROGRA~1\eGames\PIRATE~1\UNWISE.EXE C:\PROGRA~1\eGames\PIRATE~1\INSTALL.LOG
PowerDVD 5.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Quicken 2007 --> MsiExec.exe /X{0D2E80C8-0875-43EB-9623-47118E2DFBCA}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic --> "C:\Program Files\Registry Mechanic\unins000.exe"
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Risk® --> C:\PROGRA~1\SHOCKW~1.COM\Risk\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\Risk\INSTALL.LOG
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SmartSound Quicktracks for Premiere 6.5 --> C:\WINDOWS\unvise32.exe C:\Program Files\Adobe\Premiere 6.5\Plug-ins\SmartSound\uninstal.log
Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
Sunbelt Personal Firewall --> MsiExec.exe /X{BFD080F6-3BF0-40E1-9507-9CA969C35870}
TC Native Essentials 2.02 --> C:\PROGRA~1\TCWorks\TCNativeEssentials202\UninstallTCEssentials.exe C:\PROGRA~1\TCWorks\TCNativeEssentials202\INSTALL.LOG
TurboTax ItsDeductible 2006 --> MsiExec.exe /X{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}
TurboTax Premier 2007 --> C:\Program Files\TurboTax\Premier 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2007\Uninstall.log" -NoGui
TurboTax Premier Investments 2006 --> C:\Program Files\TurboTax\Premier 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2006\Uninstall.log" -NoGui
Virtual Villagers: The Lost Children --> C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~2\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~2\INSTALL.LOG
Virtual Villagers® - The Secret City --> C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\VIRTUA~1\INSTALL.LOG
Westward II: Heroes of the Frontier™ --> C:\PROGRA~1\SHOCKW~1.COM\WESTWA~1\UNWISE.EXE C:\PROGRA~1\SHOCKW~1.COM\WESTWA~1\INSTALL.LOG
WexTech AnswerWorks --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}\SETUP.EXE" -l0x9 -eliminate
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinReplay --> MsiExec.exe /I{0C4D367E-FF3A-4668-83EF-D2AD968BB3C0}
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type559 / Error
Event Submitted/Written: 05/30/2008 01:28:40 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type552 / Error
Event Submitted/Written: 05/30/2008 10:50:31 AM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-30 16:50:31,531 MIKE [000672:000680] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(1664) call failed with WIN32 error 87, returning session id is 0

Event Record #/Type540 / Error
Event Submitted/Written: 05/30/2008 07:22:21 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application xpa.exe, version 0.0.0.0, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type539 / Error
Event Submitted/Written: 05/30/2008 06:48:41 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module mcspmpeg.ax, version 1.0.0.29, fault address 0x000066b2.
Processing media-specific event for [wmplayer.exe!ws!]

Event Record #/Type538 / Error
Event Submitted/Written: 05/30/2008 06:37:13 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application wmplayer.exe, version 11.0.5721.5145, faulting module mcspmpeg.ax, version 1.0.0.29, fault address 0x000066b2.
Processing media-specific event for [wmplayer.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type12296 / Warning
Event Submitted/Written: 05/30/2008 10:29:40 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow.

For more information please see the following:
%MIKE275

Scan ID: {DE717F2F-CA6B-4333-9654-B4F0123C925E}

User: MIKE\Mike

Name: %MIKE271

ID: %MIKE272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE276

Alert Type: %MIKE278

Detection Type: 1.1.1593.02

Event Record #/Type12295 / Warning
Event Submitted/Written: 05/30/2008 10:29:40 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow.

For more information please see the following:
%MIKE275

Scan ID: {129EC608-5124-42EE-BFDC-90085D82A9E8}

User: MIKE\Mike

Name: %MIKE271

ID: %MIKE272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE276

Alert Type: %MIKE278

Detection Type: 1.1.1593.02

Event Record #/Type12294 / Warning
Event Submitted/Written: 05/30/2008 10:29:40 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow.

For more information please see the following:
%MIKE275

Scan ID: {B5EAB7BB-2A7B-4539-87B1-2AD3FDD4C46F}

User: MIKE\Mike

Name: %MIKE271

ID: %MIKE272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE276

Alert Type: %MIKE278

Detection Type: 1.1.1593.02

Event Record #/Type12293 / Warning
Event Submitted/Written: 05/30/2008 10:29:38 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow.

For more information please see the following:
%MIKE275

Scan ID: {BC45EEA3-88F1-4F3D-98F3-4505F097D04E}

User: MIKE\Mike

Name: %MIKE271

ID: %MIKE272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE276

Alert Type: %MIKE278

Detection Type: 1.1.1593.02

Event Record #/Type12292 / Warning
Event Submitted/Written: 05/30/2008 10:29:38 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%MIKE27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. %MIKE27 can't undo changes that you allow.

For more information please see the following:
%MIKE275

Scan ID: {C3928D78-6850-46A3-9550-4C3B7A76B9BA}

User: MIKE\Mike

Name: %MIKE271

ID: %MIKE272

Severity: 1.1.1593.05

Category: 1.1.1593.06

Path Found: %MIKE276

Alert Type: %MIKE278

Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-05-30 22:31:17 ------------

Deckard's System Scanner v20071014.68
Run by Mike on 2008-05-30 22:26:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
77: 2008-05-31 04:26:55 UTC - RP145 - Deckard's System Scanner Restore Point
76: 2008-05-31 00:18:55 UTC - RP144 - Windows Defender Checkpoint
75: 2008-05-31 00:02:29 UTC - RP143 - Software Distribution Service 3.0
74: 2008-05-30 16:57:13 UTC - RP142 - Software Distribution Service 3.0
73: 2008-05-30 16:49:26 UTC - RP141 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-05-26 15:17:02 UTC - RP69 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-30 22:29:17
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Apoint\hidfind.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Computer Cleaners\Virus Checkers\Deckard's system scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {4647C2C7-9F3D-4220-87D9-43E617F67478} - C:\WINDOWS\system32\ddcBuRlI.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O15 - Trusted Zone: https://ameritrade.com (HKCU)
O15 - Trusted Zone: https://tdameritrade.com (HKCU)
O15 - Trusted Zone: https://turbotax.com (HKCU)
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: ddcBuRlI - C:\WINDOWS\system32\ddcBuRlI.dll
O20 - Winlogon Notify: nnnLDvuT - C:\WINDOWS\system32\nnnLDvuT.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATM Service (ATMsrvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\ATMsrvc.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 6035 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>
R3 catchme - c:\docume~1\mike\locals~1\temp\catchme.sys (file missing)
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 UIUSys (Conexant Setup API) - c:\windows\system32\drivers\uiusys.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>
R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service>

S4 ATMsrvc (ATM Service) - c:\windows\system32\atmsrvc.exe <Not Verified; Adobe Systems Incorporated; Adobe Type Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_170C&SUBSYS_01881028&REV_02\4&2FA23535&0&00F0
Service: bcm4sbxp

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-30 21:54:46 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job


-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-30 20:26:33 324864 --a------ C:\WINDOWS\system32\pmnllIcd.dll
2008-05-30 19:26:35 324864 --a------ C:\WINDOWS\system32\pmnmnKCV.dll
2008-05-30 06:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\SeekmoSA
2008-05-30 06:27:38 0 d-------- C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2008-05-30 06:27:25 0 d-------- C:\Documents and Settings\Mike\Application Data\Seekmo
2008-05-30 06:19:18 33920 --a------ C:\WINDOWS\system32\ddcBuRlI.dll
2008-05-30 02:32:18 0 dr-h----- C:\Documents and Settings\Mike\Recent
2008-05-29 20:15:46 0 d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-28 20:15:13 4096 --a------ C:\WINDOWS\d3dx.dat
2008-05-28 18:52:06 0 d-------- C:\Program Files\Shockwave.com
2008-05-28 03:42:23 0 d--h----- C:\WINDOWS\system32\WLANProfiles
2008-05-28 03:42:23 0 d--h----- C:\Settings
2008-05-28 00:29:13 0 d-------- C:\WINDOWS\system32\Virus Stuff
2008-05-27 12:48:17 0 d-------- C:\!Submit
2008-05-27 11:01:39 0 d-------- C:\WINDOWS\ERUNT
2008-05-27 08:46:14 0 d-------- C:\Program Files\Antivirus2008
2008-05-27 02:36:33 0 d-------- C:\Program Files\ACW
2008-05-27 02:34:32 614734 --ahs---- C:\WINDOWS\system32\stEKUvut.ini2
2008-05-27 00:06:18 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\Intuit
2008-05-27 00:05:38 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\Real
2008-05-27 00:05:24 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\TmpRecentIcons
2008-05-27 00:04:04 0 d-------- C:\Documents and Settings\LeeAnn\Application Data\Identities
2008-05-26 19:46:54 0 d-------- C:\Program Files\Windows Defender
2008-05-26 18:55:15 0 d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-26 18:54:35 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-26 12:15:59 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-26 12:15:59 0 d-------- C:\Documents and Settings\Mike\Application Data\TmpRecentIcons
2008-05-26 09:20:17 0 dr-h----- C:\$VAULT$.AVG
2008-05-26 09:16:49 634469 --ahs---- C:\WINDOWS\system32\MloXwGgh.ini2
2008-05-26 08:09:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-05-23 20:29:58 0 d-------- C:\Documents and Settings\All Users\Application Data\Hot Lava Games
2008-05-23 20:12:16 0 d-------- C:\Documents and Settings\Mike\Application Data\Yahoo!
2008-05-23 20:12:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-23 20:11:41 0 d-------- C:\Program Files\Yahoo!
2008-05-04 13:25:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-04 13:21:20 0 d-------- C:\Program Files\Citrix
2008-05-03 14:49:55 0 d--hs---- C:\WINDOWS\CSC
2008-05-03 14:40:40 0 d-------- C:\WINDOWS\pss
2008-05-01 11:03:43 0 d-------- C:\Program Files\Apoint


-- Find3M Report ---------------------------------------------------------------

2008-05-30 01:55:08 0 d-------- C:\Documents and Settings\Mike\Application Data\AVG7
2008-05-30 00:48:57 0 d--h----- C:\Documents and Settings\Mike\Application Data\Skype
2008-05-30 00:04:43 0 d-------- C:\Documents and Settings\Mike\Application Data\skypePM
2008-05-29 02:31:33 0 d--h----- C:\Documents and Settings\Mike\Application Data\Adobe
2008-05-28 19:58:59 0 d-------- C:\Documents and Settings\Mike\Application Data\iWin
2008-05-26 09:25:50 0 d-------- C:\Program Files\Common Files
2008-05-23 21:09:17 0 d-------- C:\Program Files\GameHouse
2008-05-01 11:03:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-28 11:55:18 0 d-------- C:\Program Files\InterActual
2008-04-23 17:12:35 0 d-------- C:\Program Files\Lavalys
2008-04-07 17:38:58 12288 --a------ C:\Documents and Settings\Mike\Application Data\plugcach.fon
2008-04-03 12:47:21 0 d-------- C:\Program Files\ItsDeductible2006
2008-04-03 12:46:28 0 d-------- C:\Program Files\Quicken
2008-04-03 12:43:56 0 d-------- C:\Program Files\TurboTax
2008-04-03 12:43:32 0 d-------- C:\Documents and Settings\Mike\Application Data\InstallShield
2008-04-03 12:17:43 0 d-------- C:\Documents and Settings\Mike\Application Data\Intuit
2008-04-02 15:20:08 0 d-------- C:\Program Files\Common Files\Skype
2008-04-02 11:59:49 0 d--h----- C:\Documents and Settings\Mike\Application Data\Real
2008-03-03 09:29:05 6122874 -rahs---- C:\AVG7DB_F.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4647C2C7-9F3D-4220-87D9-43E617F67478}]
05/30/2008 06:19 AM 33920 --a------ C:\WINDOWS\system32\ddcBuRlI.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [10/14/2005 04:49 PM]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [10/14/2005 04:46 PM]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [10/14/2005 04:50 PM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [07/22/2005 11:46 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [07/22/2005 11:47 PM]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [10/07/2005 02:13 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [11/03/2006 07:20 PM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 05:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogoff"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4647C2C7-9F3D-4220-87D9-43E617F67478}"= C:\WINDOWS\system32\ddcBuRlI.dll [05/30/2008 06:19 AM 33920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBuRlI]
ddcBuRlI.dll 05/30/2008 06:19 AM 33920 C:\WINDOWS\system32\ddcBuRlI.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 05/04/2008 01:15 PM 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/22/2005 11:46 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLDvuT]
nnnLDvuT.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGwXolM

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe
"AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe




-- End of Deckard's System Scanner: finished at 2008-05-30 22:31:17 ------------


Logfile of HijackThis v1.97.7
Scan saved at 09:13:26 AM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Computer Cleaners\HijackThis1.9707.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {4647C2C7-9F3D-4220-87D9-43E617F67478} - C:\WINDOWS\system32\ddcBuRlI.dll
O2 - BHO: (no name) - {EF889FB8-2860-48C6-9A1C-E10D674D191F} - C:\WINDOWS\system32\cbXOGVmm.dll (file missing)
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Skype (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 02 June 2008 - 04:49 AM

Hello Mikesa and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 mikesa

mikesa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 02 June 2008 - 10:38 AM

Quick note cleanmgr did not appear to work...no prompts after hitting enter

ms

Malware does not appear to be working either...I tried run and then save- then run and unless it is running in the background nothing happened.

Edited by mikesa, 02 June 2008 - 10:46 AM.


#4 mikesa

mikesa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 02 June 2008 - 12:07 PM

Thunder
I restarted the computer and then Cleanmgr and Malware worked...here is the malware post...I cannot download the hijackthis as I cannot get it into my c:programs\hijackthis file as the prompts only allow C: (then three document files- no access to C:programs) That is the most annoying problem at the time...although it is available in Explore.

Thanks for all the help...unfortunately I am leaving for Montana momentarily and might be away from computer for a couple of days...will get back to this log as soon as possible.

ms

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 41078
Time elapsed: 7 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 71
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ddcBuRlI.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{00b77587-be1b-4201-b8e9-09fcf50ab771} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{067c6a37-72ea-4437-863a-5be20c246f3c} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5a4737a8-b92a-4e54-970e-c2891d98ce3f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ace99e77-aa2a-43c2-8c9d-caf2020fdf2b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e0fb1610-b25b-49f6-be20-751b2f230e6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{087c4054-0a2b-4f35-b0db-bed3e21650f4} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1a2af056-1fe1-47ca-993d-5d09d18e674e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{93b0fa7b-50f6-41b4-ac7e-612a72ce8c3c} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b247f5bf-bd9d-4ecd-8fc1-365f36a1fda1} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbbfb891-98ae-4678-86f3-bd5a2eed86c9} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bf1bf02c-5a86-4ecf-adac-472c54c4d21e} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ea0b6a1a-6a59-4a58-9c41-9966504898a5} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.requiredcomponent.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clientax.clientinstaller.1 (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmo.desktopflash (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmo.desktopflash.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{914a8f99-38e4-47ec-b875-2b0653516030} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.clientdetector (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.clientdetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1f158a1e-a687-4a11-9679-b3ac64b86a1c} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.userprofiles (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\seekmoax.userprofiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e313f5dc-cfe7-4568-84a4-c76653547571} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bd5258af-20ae-4bd3-b748-b2851aca7335} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{995e885e-3ff5-4f66-a107-8bfb3a0f8f12} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{fbb40fdf-b715-4342-ab82-244ecc66e979} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{4a40e8fc-c7e4-4f57-9fa4-85dd77402897} (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmo.desktopflash.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.clientdetector.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\seekmoax.userprofiles.1 (Adware.Seekmo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4647c2c7-9f3d-4220-87d9-43e617f67478} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4647c2c7-9f3d-4220-87d9-43e617f67478} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcburli (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07aa283a-43d7-4cbe-a064-32a21112d94d} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4647c2c7-9f3d-4220-87d9-43e617f67478} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Seekmo (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Seekmo\IESkins (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0 (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0\Seekmo (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0\Seekmo\dynamic (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike\Application Data\Seekmo\v3.0\Seekmo\static (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe (Rogue.MalWarrior) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEULA.mht (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ddcBuRlI.dll (Trojan.Vundo) -> Delete on reboot.

I think this last dll was the main problem as it came on at the outset I just could not touch it...

ms

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 02 June 2008 - 01:06 PM

You're probably right, Mikesa :thumbsup:

Can you run ComboFix and post that log as well, please ?
(if necessary run it in safe mode)

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 mikesa

mikesa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 04 June 2008 - 06:33 PM

Thunder,

Ran the Combofix...wow what a program...seems to have fixed everything. I have my "My Computer" info back- shows the harddrives and other things.Here is the Combofix log...
ComboFix 08-06-04.1 - Mike 2008-06-04 16:58:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.774 [GMT -6:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Antivirus2008
C:\smp.bat
C:\WINDOWS\cookies.ini
C:\WINDOWS\regedit.com
C:\WINDOWS\system32\jrluprfa.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MloXwGgh.ini
C:\WINDOWS\system32\MloXwGgh.ini2
C:\WINDOWS\system32\mmVGOXbc.ini
C:\WINDOWS\system32\mmVGOXbc.ini2
C:\WINDOWS\system32\oedbyijf.ini
C:\WINDOWS\system32\stEKUvut.ini
C:\WINDOWS\system32\stEKUvut.ini2
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\xaksmvat.ini
C:\WINDOWS\system32\xqauginy.ini
C:\WINDOWS\system32\yeghpoji.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-02 10:58 . 2008-06-02 10:58 <DIR> d-------- C:\Program Files\Hijack This
2008-06-02 10:25 . 2008-06-02 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 10:25 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 10:25 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 20:37 . 2008-05-31 20:43 <DIR> d-------- C:\Program Files\RealArcade
2008-05-31 18:40 . 2008-05-31 18:41 <DIR> d-------- C:\Program Files\Registrar Lite
2008-05-31 18:32 . 2008-06-04 16:54 8,224 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 22:26 . 2008-05-30 22:26 <DIR> d-------- C:\Deckard
2008-05-29 20:15 . 2008-05-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-28 20:15 . 2008-05-28 20:15 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-05-28 18:52 . 2008-05-29 20:14 <DIR> d-------- C:\Program Files\Shockwave.com
2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\WINDOWS\system32\WLANProfiles
2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\Settings
2008-05-28 03:42 . 2008-05-28 03:42 516 --a------ C:\Settings.ini
2008-05-28 00:29 . 2008-05-30 23:23 <DIR> d-------- C:\WINDOWS\system32\Virus Stuff
2008-05-27 12:48 . 2008-05-27 12:48 <DIR> d-------- C:\!Submit
2008-05-27 11:01 . 2008-05-27 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 02:36 . 2008-05-27 02:36 <DIR> d-------- C:\Program Files\ACW
2008-05-27 00:06 . 2008-05-27 00:06 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\Intuit
2008-05-27 00:05 . 2008-05-27 00:05 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\TmpRecentIcons
2008-05-26 19:46 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-26 18:55 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-26 18:54 . 2008-05-26 18:54 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-26 12:15 . 2008-05-26 12:15 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-26 11:50 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-05-26 09:20 . 2008-05-31 09:42 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-23 20:29 . 2008-05-23 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hot Lava Games
2008-05-23 20:12 . 2008-05-23 20:12 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Yahoo!
2008-05-23 20:12 . 2008-05-28 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-23 20:11 . 2008-05-23 20:11 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-04 13:25 . 2008-05-04 13:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-04 13:21 . 2008-05-04 13:21 <DIR> d-------- C:\Program Files\Citrix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 23:10 12,376 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-06-04 22:41 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7
2008-06-04 22:23 --------- d--h--w C:\Documents and Settings\Mike\Application Data\Skype
2008-06-04 22:21 --------- d-----w C:\Documents and Settings\Mike\Application Data\skypePM
2008-05-31 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-05-30 02:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-29 01:58 --------- d-----w C:\Documents and Settings\Mike\Application Data\iWin
2008-05-24 03:09 --------- d-----w C:\Program Files\GameHouse
2008-05-01 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 17:03 --------- d-----w C:\Program Files\Apoint
2008-04-28 17:55 --------- d-----w C:\Program Files\InterActual
2008-04-23 23:12 --------- d-----w C:\Program Files\Lavalys
2008-04-02 21:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-01-01 02:11 6,186 ---ha-w C:\Documents and Settings\Mike\Application Data\wklnhst.dat
2007-12-18 20:28 63,704 ---ha-w C:\Documents and Settings\Mike\Application Data\GDIPFONTCACHEV1.DAT
2007-11-04 21:01 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.
<pre>
----a-r		 1,547,688 2005-10-21 05:13:26  C:\Documents and Settings\Mike\Desktop\DAD\Computer Programs\guitar chord .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF889FB8-2860-48C6-9A1C-E10D674D191F}]
C:\WINDOWS\system32\cbXOGVmm.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 16:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 16:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 16:50 114688]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 23:46 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 23:47 385024]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:44 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2008-05-04 13:15 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 23:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLDvuT]
nnnLDvuT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-27 10:44 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe
"AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 11:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 11:21]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 11:21]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 23:10:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 17:09:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint\hidfind.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-06-04 17:15:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 23:15:32

Pre-Run: 21,733,347,328 bytes free
Post-Run: 21,716,725,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

201 --- E O F --- 2008-05-30 16:58:05


Here is the Hijackthis 2.0 log :thumbsup:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:26:39 PM, on 6/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {EF889FB8-2860-48C6-9A1C-E10D674D191F} - C:\WINDOWS\system32\cbXOGVmm.dll (file missing) :wacko:
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_12) - http://sdlc-esd.sun.com/ESD40/JSCDL/jre/6u...i586-p-iftw.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O20 - Winlogon Notify: nnnLDvuT - nnnLDvuT.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5823 bytes

Still have questions about that extra BHO but everything appears to be working...l

Will wait for your reply- Thanks again...
ms

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 06 June 2008 - 04:27 AM

Hello Mikesa,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold text (content only, not the code tags !) below into an empty notepad window:
RenV::
C:\Documents and Settings\Mike\Desktop\DAD\Computer Programs\guitar chord .exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EF889FB8-2860-48C6-9A1C-E10D674D191F}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnLDvuT]
Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 mikesa

mikesa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 06 June 2008 - 03:18 PM

Yes Thunder still having problems...they came back today just prior to checking your last instructions...
The computer is running extremely slow and lost my Task Manager again.
Ran Combo again and it fixed the TM but still runs slow here is the log after running your script

ComboFix 08-06-04.1 - Mike 2008-06-06 11:44:33.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.765 [GMT -6:00]
Running from: C:\Documents and Settings\Mike\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mike\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-04 17:26 . 2008-06-04 17:26 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-02 10:58 . 2008-06-04 17:24 <DIR> d-------- C:\Program Files\Hijack This
2008-06-02 10:25 . 2008-06-02 10:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Malwarebytes
2008-06-02 10:25 . 2008-06-02 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 10:25 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-02 10:25 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-31 20:37 . 2008-05-31 20:43 <DIR> d-------- C:\Program Files\RealArcade
2008-05-31 18:40 . 2008-05-31 18:41 <DIR> d-------- C:\Program Files\Registrar Lite
2008-05-31 18:32 . 2008-06-06 09:17 8,224 --a------ C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 22:50 . 2008-05-30 22:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-30 22:26 . 2008-05-30 22:26 <DIR> d-------- C:\Deckard
2008-05-29 20:15 . 2008-05-29 20:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-05-28 20:15 . 2008-05-28 20:15 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-05-28 18:52 . 2008-05-29 20:14 <DIR> d-------- C:\Program Files\Shockwave.com
2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\WINDOWS\system32\WLANProfiles
2008-05-28 03:42 . 2008-05-28 03:42 <DIR> d--h----- C:\Settings
2008-05-28 03:42 . 2008-05-28 03:42 516 --a------ C:\Settings.ini
2008-05-28 00:29 . 2008-05-30 23:23 <DIR> d-------- C:\WINDOWS\system32\Virus Stuff
2008-05-27 12:48 . 2008-05-27 12:48 <DIR> d-------- C:\!Submit
2008-05-27 11:01 . 2008-05-27 11:01 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 02:36 . 2008-05-27 02:36 <DIR> d-------- C:\Program Files\ACW
2008-05-27 00:06 . 2008-05-27 00:06 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\Intuit
2008-05-27 00:05 . 2008-05-27 00:05 <DIR> d-------- C:\Documents and Settings\LeeAnn\Application Data\TmpRecentIcons
2008-05-26 19:46 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-26 18:55 . 2008-05-26 19:46 <DIR> d-------- C:\Program Files\Microsoft AntiSpyware
2008-05-26 18:54 . 2008-05-26 18:54 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-26 12:15 . 2008-05-26 12:15 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-26 11:50 . 2002-12-29 01:14 81,920 --a------ C:\WINDOWS\system32\Startup.cpl
2008-05-26 09:20 . 2008-05-31 09:42 <DIR> dr-h----- C:\$VAULT$.AVG
2008-05-23 20:29 . 2008-05-23 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hot Lava Games
2008-05-23 20:12 . 2008-05-23 20:12 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Yahoo!
2008-05-23 20:12 . 2008-05-28 18:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-23 20:11 . 2008-05-23 20:11 <DIR> d-------- C:\Program Files\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 15:20 12,766 ----a-w C:\WINDOWS\system32\drivers\fwdrv.err
2008-06-06 06:07 --------- d--h--w C:\Documents and Settings\Mike\Application Data\Skype
2008-06-06 06:04 --------- d-----w C:\Documents and Settings\Mike\Application Data\skypePM
2008-06-04 22:41 --------- d-----w C:\Documents and Settings\Mike\Application Data\AVG7
2008-05-31 14:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-05-30 02:21 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-29 14:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-29 01:58 --------- d-----w C:\Documents and Settings\Mike\Application Data\iWin
2008-05-24 03:09 --------- d-----w C:\Program Files\GameHouse
2008-05-04 19:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Citrix
2008-05-04 19:21 --------- d-----w C:\Program Files\Citrix
2008-05-01 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 17:03 --------- d-----w C:\Program Files\Apoint
2008-04-28 17:55 --------- d-----w C:\Program Files\InterActual
2008-04-23 23:12 --------- d-----w C:\Program Files\Lavalys
2008-04-02 21:20 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-01-01 02:11 6,186 ---ha-w C:\Documents and Settings\Mike\Application Data\wklnhst.dat
2007-12-18 20:28 63,704 ---ha-w C:\Documents and Settings\Mike\Application Data\GDIPFONTCACHEV1.DAT
2007-11-04 21:01 32 ----a-r C:\Documents and Settings\All Users\hash.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_17.13.55.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-04 23:07:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 17:19:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-31 03:36:35 5,427,200 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-06-06 17:12:03 5,427,200 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-05-31 03:36:35 327,680 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-06 17:12:03 327,680 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-06-06 17:19:55 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_108.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 16:49 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 16:46 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 16:50 114688]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-22 23:46 401408]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-22 23:47 385024]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-27 10:44 185896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2005-07-22 23:46 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-12-27 10:44 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"aawservice"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe"
"mmtask"=c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"NeroCheck"=C:\WINDOWS\system32\\NeroCheck.exe
"AVG7_EMC"=C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Sunbelt Software\\Personal Firewall\\kpf4gui.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 17:20]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2007-04-26 11:21]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2007-04-26 11:21]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 17:16]
R2 SPF4;Sunbelt Personal Firewall 4;"C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe" [2007-04-26 11:21]
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service []

.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 17:22:56 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 11:50:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 11:53:55
ComboFix-quarantined-files.txt 2008-06-06 17:53:44
ComboFix2.txt 2008-06-06 16:41:05
ComboFix3.txt 2008-06-04 23:15:52

Pre-Run: 21,547,077,632 bytes free
Post-Run: 21,535,055,872 bytes free

152 --- E O F --- 2008-06-06 15:20:31


Here is the Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:15:32 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Mike\Desktop\DAD\Computer Check and Repair\Backup Zip Files\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5022 bytes

Any Idea's...Thanks for all the work.

#9 mikesa

mikesa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 06 June 2008 - 03:40 PM

Also tried to delete Java's but there were none listed in Add/Remove programs...
did a search and did not find any. I did have one disabled in IE manage add/ons but could not remove it...anything else I should try?
ms

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 06 June 2008 - 05:36 PM

Hello Mike,

Can you tell me if you created these folders yourself ? :
C:\WINDOWS\system32\Virus Stuff and C\!Submit

Your logs no longer show any active malware anymore :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#11 mikesa

mikesa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:28 PM

Posted 06 June 2008 - 07:26 PM

Thunder I did create the Virus Stuff to change locations of suspected files but he C:!Submit I know nothing about.
Will delete combo fix now and get back to you if there are any problems...the only one I know about now is that the internet no matter what page seems to lock up and the touchpad mouse seems to not work often...I back out with alt/(back arrow) and then go back in and it will work for a while then it locks up. I have stopped all the addon things I can think of...will run my virus checkers to see if they catch anything...

Thanks and will get back to you.

ms

#12 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 07 June 2008 - 05:18 AM

Fine, Mikesa

I'll keep an eye out for you reply. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#13 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:08:28 PM

Posted 04 July 2008 - 05:29 PM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users