Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VUNDO!grb (detected and quarantined by McAfee)


  • This topic is locked This topic is locked
66 replies to this topic

#1 APL23

APL23

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 04 March 2009 - 12:41 PM

Dear Expert,

First - thanks for your volunteer work, it's much appreciated.

I have a inadvertently picked up the VUNDO Trojan and need help in removing it. McAfee Security Center claims to have "detected and quarantined" it (March 3rd), however it continues to plague IE by randomly opening and closing multiple instances (but mostly opening). I also had to disconnect my cable in order to shut down my computer last night. Tried an update from McAfee, then ran disk/internet/registry clean up, ran a full scan, and it found nothing. Tried the McAfee Virtual Technician, then the live chat, but they couldn't help. On boot up this morning, there was a strange box (new) that appeared and said "personalized setting for browser customization". It didn't have an X top right like a standard Windows box, and it just disappeared after a few seconds. McAfee has also just downloaded Firewall and Security Center updates.

As instructed, I have backed up my data (followed the Cobian tutorial, errors backing up some DAT files, not sure if that's a problem), created this account, enabled topic reply, enabled the Windows XP firewall (which was alredy enabled but with many boxes checked that did not appear in the tutorial), downloaded and ran DDS as follows.

Please provide me with details on how to proceed. Again, your recommendations are appreciated (and please be explicit, I'm not very good at this).


DDS (Ver_09-02-01.01) - NTFSx86
Run by Mikey at 11:36:59.26 on 04/03/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.242 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\Program Files\Cobian Backup 8\Cobian.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mikey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.theanimalrescuesite.com/clickToGive/home.faces?siteId=3&link=ctg_ars_home_from_ars_thankyou_sitenav
uDefault_Page_URL = hxxp://www.dellnet.com
uSearch Bar =
mDefault_Page_URL = hxxp://www.dellnet.com
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
mSearch Page =
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = 127.0.0.1;hxxp://localhost;*.local
uSearchURL,(Default) = hxxp://ca.search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {ab1f083b-21cb-46db-8963-30db8b6919a4} - c:\windows\system32\jutepeso.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {a1bb232a-70ce-8489-6c24-a41792a7337d}: {d7337a29-714a-42c6-9848-ec07a232bb1a} - c:\windows\system32\xaxzfa.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [DelayShred] c:\progra~1\mcafee\mshr\shrcl.exe /p7 /q c:\docume~1\mikey\locals~1\temp\tempor~2\content.ie5\yxwfy34v.sh! c:\docume~1\mikey\locals~1\temp\tempor~2\content.ie5\yla3q56z.sh! c:\docume~1\mikey\locals~1\temp\tempor~2\content.ie5\tl82gag8.sh! c:\docume~1\mikey\locals~1\temp\tempor~2\content.ie5\osu3f7to.sh! c:\docume~1\mikey\locals~1\temp\tempor~2\content.ie5\mxajmb4x.sh! c:\docume~1\mikey\locals~1\temp\tempor~2\content.sh! c:\docume~1\mikey\locals~1\temp\TEMPOR~2.SH!
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Sunkist2k] c:\program files\multimedia card reader\shwicon2k.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [MsgCenterExe] "c:\program files\common files\real\update_ob\RealOneMessageCenter.exe" -osboot
mRun: [yuparumasa] Rundll32.exe "c:\windows\system32\wuhomuro.dll",s
mRun: [CPM2b535663] Rundll32.exe "c:\windows\system32\lotoyeyo.dll",a
mRun: [286065ff] rundll32.exe "c:\windows\system32\wibotelo.dll",b
dRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\setpoint\KEM.exe
uPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\inetrepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1231263526109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,16/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~4\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~4\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~4\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\progra~1\micros~4\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\micros~4\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\progra~1\micros~4\cenetflt.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows\system32\rokesoza.dll c:\windows\system32\lotoyeyo.dll xaxzfa.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lotoyeyo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\lotoyeyo.dll
LSA: Notification Packages = scecli c:\windows\system32\rokesoza.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-2-6 201320]
R2 ASKService;ASKService;c:\program files\askbardis\bar\bin\AskService.exe [2008-11-10 460168]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-30 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-2-22 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-2-6 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-2-6 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-2-6 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-2-6 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-2-6 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-2-6 33832]
S3 WRVS4400N_Sp50;WRVS4400N_Sp50 NDIS Protocol Driver;c:\windows\system32\drivers\WRVS4400N_Sp50.sys [2006-11-28 27072]

=============== Created Last 30 ================

2009-03-04 09:18 <DIR> --d----- c:\program files\Cobian Backup 8
2009-03-04 09:14 <DIR> --d----- c:\program files\Cobiansoft
2009-03-03 22:15 142,848 a--sh--- c:\windows\system32\xaxzfa.dll
2009-03-03 17:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-03-03 10:15 142,848 a--sh--- c:\windows\system32\tkpkix.dll
2009-02-23 07:36 54,156 a---h--- c:\windows\QTFont.qfn
2009-02-23 07:36 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-03-03 22:15 79,872 a--sh--- c:\windows\system32\sumonibe.dll
2009-03-03 22:15 106,496 a--sh--- c:\windows\system32\viheheji.dll
2009-03-03 22:15 142,848 a--sh--- c:\windows\system32\soveveje.dll
2009-03-03 10:15 79,872 a--sh--- c:\windows\system32\wibotelo.dll
2009-03-03 10:15 109,056 a--sh--- c:\windows\system32\lotoyeyo.dll
2009-03-03 10:15 142,848 a--sh--- c:\windows\system32\pahekuve.dll
2009-01-22 00:52 129,784 -------- c:\windows\system32\pxafs.dll
2009-01-22 00:52 116,472 -------- c:\windows\system32\pxcpyi64.exe
2009-01-22 00:52 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-01-22 00:52 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-01-06 13:39 79,359 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-12-12 12:01 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-11-21 12:25 61,224 a------- c:\documents and settings\mikey\GoToAssistDownloadHelper.exe
2008-09-02 16:50 3,932 a------- c:\docume~1\mikey\applic~1\LMLayout.dat
2008-09-02 16:50 268 a------- c:\docume~1\mikey\applic~1\LMCPaper.dat
2003-08-27 14:19 36,963 ac---r-- c:\program files\common files\SM1updtr.dll
2003-06-30 13:51 207,759 ac------ c:\program files\INSTALL.LOG
0000-00-00 00:00 69,632 a--sh--- c:\windows\system32\jutepeso.dll
0000-00-00 00:00 69,632 a--sh--- c:\windows\system32\rokesoza.dll
0000-00-00 00:00 69,632 a--sh--- c:\windows\system32\wuhomuro.dll

============= FINISH: 11:43:16.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 18 March 2009 - 11:02 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply.] Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 18 March 2009 - 12:30 PM

Hi Sue,

Thanks for your help. I have a question first.

Since my initial post, Vundo blew away McAfee Security Center. By the end of the day, McAfee was on red alert, and said that I was no longer protected. So I downloaded their virtual technician (no mention of the virus at all), then got on a chat with one of their folks who told me to uninstall and reinstall. The uninstall part went fine, but when I tried to register as a user on their site to download another copy to reinstall, Vundo would not let me register (I was able to register as a user from my work computer, which is what I'm using now). At which point the McAfee technician suggested I engage the services of their virus removal service - I paid for software that was supposed to do that. So I simply disconnected my lan line and have not gone online with my infected pc since.

Other strange things:

- I've been getting a windo called "SmartHeap Library MEM_BAD_POINTER" when I open my ACT! database. I click OK a couple of times and it goes away. Is this related?
- IE keeps trying to open, but has nowhere to go (page not found). But if I try to open it, either by double clicking the icon or by Start IE, I get the hourglass for a couple of seconds then nothing.

Finally to my question: is it safe to go online with my unprotected infected pc, or is there a way to capture the information from it and use my work computer to post the reply for your diagnosis / instructions?

Thanks again,

Annette

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 18 March 2009 - 04:28 PM

- I've been getting a windo called "SmartHeap Library MEM_BAD_POINTER" when I open my ACT! database. I click OK a couple of times and it goes away. Is this related?

There s a fix for MEM_BAD_POINTER error in SP2 - http://support.microsoft.com/kb/910466
This fix is included in SP3. (verify the list in KB946480).
If this issue started after installing SP3, contact SP3 tech support (free) at
http://support.microsoft.com/oas/default.a...mp;gprid=522131

- IE keeps trying to open, but has nowhere to go (page not found). But if I try to open it, either by double clicking the icon or by Start IE, I get the hourglass for a couple of seconds then nothing.

Finally to my question: is it safe to go online with my unprotected infected pc, or is there a way to capture the information from it and use my work computer to post the reply for your diagnosis / instructions?

Using another computer or flash drive may spread the infection so let's try to get rid of Vundo. Go online only to download this program and then disconnect from the Internet to run the program.
  • Please download
    VundoFix by Atribune to your desktop.
  • Double-click VundoFix.exe to run it.
    You want to run the fix until you see all Vundo files say: "Has been deleted".
  • Click the Scan for Vundo button.
  • When VundoFix opens, click the Scan for Vundo button.
  • After scanning is completed, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • After you click Yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from Click the "Scan for Vundo button. when VundoFix appears at reboot.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 19 March 2009 - 01:58 PM

Hi Sue,

I downloaded VundoFix and ran it with the following results: "Done searching for files. No infected files found". Clicked OK. "No files were found, vundofix V7.0.6 will now close". To the lower left it said "removing vundo...".

I tried this last night and shut it down after about an hour. Then I tried again this morning, with the same results. This time I left it at "removing vundo..." for several hours, but it didn't appear to be doing anything. So I just shut it down and ran hijackthis, with the following results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:36 PM, on 19/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Mikey\Local Settings\Temp\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\Mikey\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theanimalrescuesite.com/clickTo...hankyou_sitenav
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: (no name) - {ab1f083b-21cb-46db-8963-30db8b6919a4} - C:\WINDOWS\system32\jutepeso.dll
O2 - BHO: {a1bb232a-70ce-8489-6c24-a41792a7337d} - {d7337a29-714a-42c6-9848-ec07a232bb1a} - C:\WINDOWS\system32\xaxzfa.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s
O4 - HKLM\..\Run: [CPM2b535663] Rundll32.exe "c:\windows\system32\lotoyeyo.dll",a
O4 - HKLM\..\Run: [286065ff] rundll32.exe "C:\WINDOWS\system32\wibotelo.dll",b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231263526109
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\rokesoza.dll c:\windows\system32\lotoyeyo.dll xaxzfa.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lotoyeyo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\lotoyeyo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 10050 bytes

Please advise on next step.

Thanks,

Annette

#6 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 21 March 2009 - 10:40 AM

Let's try other tools.

Step 1
  • Please download and run the FixVundo tool FixVundo Tool
  • Save > Desktop > Save.
  • Close all running programs (including your Internet Browser).
  • Double-click FixVundo.exe on the desktop.
  • Click Run if asked.
  • Click Start.
    Important: Do not launch any new applications while the tool is running!
  • When finished, Start. The result will be displayed
  • Click OK to close the box.
  • When finished, restart the computer
  • Run the removal tool again and restart the system to ensure that the system is clean. Then, run your virus checker
Step 2

Malwarebytes' Anti-Malware is FREEWARE, however you may upgrade to the PRO version which contains realtime protection, scheduled scanning and updating.
  • Please download Malwarebytes Anti-Malware (MBAM). Alternate download link
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing scan. If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from the Malware Bytes Web site. Scroll down the page until you see Latest Database; click Download from GT500.org
  • Double-click on mbam-rules.exe to install.
  • On the Scanner tab, make sure the Perform Quick Scan option is selected.
  • Click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and Scan in progress will show at the top. It may take some time to complete; please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully.
  • At the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#7 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 21 March 2009 - 06:42 PM

I'm stuck at step 1, since I uninstalled McAfee. I'll get a fresh copy onto a CD and install it.

Meanwhile, the Symantec tool did not find Vundo. "Trojan.Vundo has not been found on your computer".

Here's the log file:

Symantec Trojan.Vundo Removal Tool 1.5.0

C:\Documents and Settings\Mikey\Local Settings\Application Data\Microsoft\Messenger\mikeyl59@hotmail.com\SharingMetadata\lmcarthur@mindspring.com\DFSR\Staging\CS{FB94A204-380E-E5C8-F642-CAC5D5075826}\01\10-{FB94A204-380E-E5C8-F642-CAC5D5075826}-v1-{D451387B-D9D6-4945-9F85-D4EFB2AFC748}-v10-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\B64WUGTC\inxw45dfnz2f6mrrgbptcmrql42vkv2ojzkteuzsjnffeqkug5hfsqsmljjeom2nkizemqssinmtmjbygqyuaojwgeydcnbyia3dgnjugjadkvkxjzhfkmstgjfuuusbkq3u4wkcjrnferztjvjdersckjbvsnsagvagu4dhl5ua[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\B64WUGTC\inxw45dfnz2f6mrrgbptcmrql43eotskj5mumukhijfegvssinjfavzugqzfms2mgjkvowbtg5muojbuhe3eamjqhezdcnrzgradcmjyge2deqbwi5heut2ziziuoqskinlfeq2skbltinbskzfuymsvk5mdgn2zi5agu4dhl5ua[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\ON3R1UTK\inxw45dfnz2f6mrrgbptcmrql5avmwbtkrgu2u2elfmtiv2ejnkvorbtifgekrsvlfku2uzwlfhfqjbsgq2uanbwg4zdknbsiaytcobtha3uaqkwlazvitknkncfswjuk5cewvkxiqzuctcfizkvsvknkm3fstsyiayua2tqm5pw[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\ON3R1UTK\inxw45dfnz2f6mrrgbptcmrql5btkrkti43uorsrg5dfcukwkq2detkuireekwsnke2ugscrlbjtijbqgu4eamjygq4dgobvgbadomrzhe2uaqzvivjuon2hizitorsrkflfinbsjvkeiscfljgvcnkdjbivquzuia2ea2tqm5pw[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\ON3R1UTK\inxw45dfnz2f6mrrgbptcmrql5dvqm2pkrgfkuksjjhvaskggzmeovspgvgdmtkrifjusu2gi5ce4jbuhezuamjyge2tcmzzgradqojqgizear2ygnhvitcvkfjeut2qjfddmwchkzhtktbwjviucu2jkndeorcoiazdmqdkobtv[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\ON3R1UTK\inxw45dfnz2f6mrrgbptcmrql5iu6v2lg5idkwsvivgvewkqirmu4tcpk5etgskmknbucubvjiztijbsgq2uanbwg4zdknbsiaytemrshe4uaukpk5ftoubvljkuktkslfieiwkojrhvosjtjfgfgq2bka2uumzuiayua2tqm5pw[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\ON3R1UTK\inxw45dfnz2f6mrrgbptcmrql5nfgmsqkvmuwnswg5fdit2uiu3ueucplfbe6s2mkfkdimsggjevqjbwgayuanrygm4tcmbwia4tsnjuhbafuuzskbkvsszwky3uuncpkrctoqsqj5muet2ljrivinbsiyzeswcanjygox3i[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJOHIFEX\inxw45dfnz2f6mrrgbptcmrql42e4wcsii2u6nslk43vkusgjnbfiwktirdvuscijneeoqrsijie6jbuhe3eamjqhezdcnrzgradcmjzgi2dqqbujzmfeqrvj43ewvzxkvjems2ckrmvgrchljeeqs2ii5bdeqsqj5agu4dhl5ua[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJOHIFEX\inxw45dfnz2f6mrrgbptcmrql4zvqqkolbgfotbujncfurs2gvjvkqsvijbvurkrjazfenrtijnecjbvg43uamzsgy2dsnzxgvadcmrqg42diqbtlbau4wcmk5gdis2eljdfunktkvbfkqsdljcvcsbski3dgqs2ifagu4dhl5ua[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJOHIFEX\inxw45dfnz2f6mrrgbptcmrql5gvenzsgnlusm2cgvldmucxk5ffer2dgvkuivkmjy2essbskjieyjbuhe3eamjqhezdcnrzgradcmjzgi2dmqcnki3tem2xjezuenkwgzifov2kkjdugnkvirkuytrujfedeusqjragu4dhl5ua[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJOHIFEX\inxw45dfnz2f6mrrgbptcmrql5jfsrzwjbiecwsmgrftowjtj4zvcncckndfisccjndeyrc2knivajbsgq2uanbwg4zdknbsiaytcmzygq4eauszi43equcbljgdiszxlezu6m2rgrbfgrsujbbewrsmirnfgukqibvhaz27na[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\SJOHIFEX\xml;vord=235765276;veg=1;vzone=u_featured;uid=23838380;reso=hd;chan=671;chan=791;cat=194;cat=195;uage=n;hash=GX3OTLUQRJOPIF6XGVO5L6MQASISFGDN;azv=gt41;u=23838380,,99.250[1].gif (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\TI72ME36\inxw45dfnz2f6mrrgbptcmrql43emnctjzmeeukbi5deiszwivheqwcnifdvonkogjltes2ukbfemjbrguyuamjzgq4dqmjvgfadcmjzha2tcqbwiy2fgtsyijiucr2girftmrkojbme2qkhk42u4msxgjfviuckizagu4dhl5ua[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\TI72ME36\inxw45dfnz2f6mrrgbptcmrql4zfuv2hjvjtoucsgzlvqrczjzlewtsvljjvisbskrdteuzvkzefojbwgq2eamjqguztinbwiaytemrrgi4eams2k5du2uzxkbjdmv2yirmu4vsljzkvuu2ujazfirzskm2vmscxiazea2tqm5pw[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\TI72ME36\inxw45dfnz2f6mrrgbptcmrql5georcrkjgugvcnjviugqsnifavkrcvgvfuisjvljfueskyjjfvgjbug42eanzwgu2dinzuiaytembxgi4eatchirivetkdkrgu2ukdijgucqkvirktks2eje2vus2cjfmeus2tiazea2tqm5pw[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\TI72ME36\inxw45dfnz2f6mrrgbptcmrql5jtmnccijkfascljjcfmsk2ljfu2rsngq3vesrugzcucqkwkvitijbwgq2eamjqguztinbwiaytemrrgmzuauzwgrbeevcqjbfuurcwjfnfus2nizgtin2sji2dmrkbiflfkujuiayua2tqm5pw[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\Temporary Internet Files\Content.IE5\TI72ME36\inxw45dfnz2f6mrrgbptcmrql5mfoq2yjzfvoq2rifju2rskjrge4vk2jvfugrzwlfdvemsmjbatojbvha2uamrrge3tmnjygvadsobugq2uawcxinme4s2xiniucu2nizfeytcokvne2s2di43fsr2sgjgeqqjxibvhaz27na[1].jpg (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\TEMPOR~2.SH!\Content.SH!\MXAJMB4X.SH!\listings;pgid=EP004461730137;fgen=Crimedrama;fgen=Drama;fser=EP00446173;naf=Canadian%20Independent;ncs=CFTO;zc=M5E1E6;mso=8271824;ptyp=cab;af=tos;usr=u;sz=728x90;pos=g;tile[2] (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\TEMPOR~2.SH!\Content.SH!\MXAJMB4X.SH!\ra=TGFCN7K7VZCUKFYXJZYJUPX3CBZVPLUV&sessioncookie=QM94HJSFS2OACLV5FTKLRRFMEDQG5P7L&cookie=0YP4V049M12YOQUY1WU3MFOY9M78Y72C&browsertoken=U&platformtoken=Win32&language=en-us[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\TEMPOR~2.SH!\Content.SH!\OSU3F7TO.SH!\click,8gIAADfFAwCuzhUAs8kGAAIAAAAAAP8AAAACDAIAAgKkawQAOQIKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO2CRkkAAAAA,http%3A%2F%2Fcoriolis.accuweather.com%2FRealMedia%2Fads%2Fclick_lx[1].htm (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\TEMPOR~2.SH!\Content.SH!\YLA3Q56Z.SH!\Type=click&FlightID=126342&AdID=167172&TargetID=25575&Segments=4,1987,2214,13429,13529,13546,13617,14133,17094,18054,18245,21239,21424,21872,22635,22749,24140,24250,24251,2[1] (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\TEMPOR~2.SH!\Content.SH!\YXWFY34V.SH!\=1024&u_ah=734&u_aw=1024&u_cd=32&u_tz=-300&u_his=3&u_java=true&dtd=93&num_ads=2&targeting=content&tok=7O1AbMy0wcsKEwimsO-D8MOXAhUIbscKHa5W180QAhgCIOLLrgkgtpRNKAAwAUIKCAAQAhgAIAEoAQ (WARNING: not scanned, path to long)
C:\Documents and Settings\Mikey\Local Settings\Temp\TEMPOR~2.SH!\Content.SH!\YXWFY34V.SH!\click,8gIAADfFAwCuzhUAs8kGAAAABAAAAAIAAQACDAIAAgKkawQAOQIKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeDRkkAAAAA,http%3A%2F%2Fcoriolis.accuweather.com%2FRealMedia%2Fads%2Fclick_lx[1].htm (WARNING: not scanned, path to long)
Trojan.Vundo has not been found on your computer.


I will post again once I have re-installed McAfee, rund the virus check, and then the MBAM.

Tks,

#8 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 22 March 2009 - 12:04 PM

...still stuck at step 1. Vundo would not let me go to the McAfee US site to download a new copy of Security Center (kept re-directing me to the Canadian site). So I copied the file to a cd using my work computer. But in trying to launch the executable from the cd, I got the following error:
"Installation cannot continue. We're having trouble installing your McAfee software because JavaScript is not working correctly on this PC. Need more information? Visit our Customer Support site at http://us.mcafee.com/root/campaign.asp?cid=43582 for detailed instructions." Unfortunately, there was no such document on their site, not in the Customer Service section nor in Technical Support (also tried a random search on "JavaScript" as well with no results).

Should I skip the virus checker and go to step 2 or should I try to fix JavaScript first (i.e. with RegCure or the like)?

Tks,

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2009 - 06:33 AM

Step 1

Boot into Safe Mode safely (without networking support !)
  • If your computer is running, shut down Windows, then turn the power off.
  • Wait 30 seconds, then turn the computer on, and begin tapping the F8 key (if this doesn't work try the F5 key).
  • The Windows Advanced Options Menu appears.
  • Select Safe Mode using the up/down arrow keys.
  • Click Enter.
  • Log on with an account with administrator privileges, usually your own account (NOT the account named Administrator).
If you cannot boot into safe mode using this method, it is important that you let me know.

Do not attempt to boot into Safe Mode using MSCONFIG

If you do so, you may be unable to boot your computer or your computer may enter a "Safe Mode Boot Loop".


An infected computer is not stable. By using the /SAFEBOOT option in MSCONFIG, you are altering your Boot.ini file to make it boot ONLY in Safe Mode. If your computer fails to boot into Safe Mode, as it may well do, then you will be left in a position where your computer will not boot at all or your computer will enter a Safe Mode Boot Loop.

Because your Safe Mode Registry Entries have been damaged by your computer infection, your computer cannot boot into Safe Mode or is in a Safe Mode Boot Loop. You cannot boot to Normal Mode (because of the alterations you made to your Boot.ini file), so now you are left with a computer that will not boot into Safe Mode or Normal Mode or will be in a Safe Mode Boot Loop. This is not a situation you want to be in.

Do not use the BOOTSAFE option in Super Anti-Spyware or use BOOTSAFE by SUPERAdBlocker. Both of these do the same thing as MSCONFIG.

If F8/F5 doesn't work, TELL ME!

There are tools we can use to repair your faulty Safe Mode condition, but these can only be used so long as you are able to boot your computer.

Step 2

NOTE: To avoid the risk of any of the files or folders not being found due to their having the Hidden attribute, go to My Computer (Windows key+e).
  • Click Tools > Folder Options > View.
  • Under Advanced Settings > Files and Folders > Hidden files and folders, first make sure that Show hidden files and folders has a dot in the circle before it which indicates that hidden files and folders are visible.
Step 3

Use Windows Explorer, (My Computer (Windows key+e).
File/folder location is indicated by C (or the name of the drive you are using) C:\name of the folder\name of file. Search for the following files/folders and DELETE the everything in this folder indicated in BLUE. (Do not worry if they are not there):

C:\Documents and Settings\Mikey\Local Settings\
Temp\
Delete everything in this folder but not the folder itself.

Step 4

Still in Safe Mode, run Malwarebytes.

Step 5

Continue with the other steps. Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 March 2009 - 09:44 AM

Step 1: booted in safe mode by hitting F8, selected Safe Mode. "Windows is running in safe mode...To proceed to work in Safe Mode click Yes..."

Step 2: ok

Step 3: deleted a blue DLL called TempIadHide3.dll 6.1.4.36 IAdHide. Installed / ran MBAM. Found ~ 29 corrupt files, removed them (see log). HJT log also below.

Should I be able to download a new copy of McAfee Security Center now? If yes, should I do so and run a scan?

Thanks,

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3

23/03/2009 9:28:22 AM
mbam-log-2009-03-23 (09-28-22).txt

Scan type: Quick Scan
Objects scanned: 74423
Time elapsed: 12 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 5
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\rokesoza.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\lotoyeyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\xaxzfa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7337a29-714a-42c6-9848-ec07a232bb1a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d7337a29-714a-42c6-9848-ec07a232bb1a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab1f083b-21cb-46db-8963-30db8b6919a4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ab1f083b-21cb-46db-8963-30db8b6919a4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d7337a29-714a-42c6-9848-ec07a232bb1a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ab1f083b-21cb-46db-8963-30db8b6919a4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\286065ff (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yuparumasa (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2b535663 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rokesoza.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rokesoza.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rokesoza.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lotoyeyo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\lotoyeyo.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Quarantine (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Registry Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\xaxzfa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wibotelo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\oletobiw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wuhomuro.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\SYSTEM32\lotoyeyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\jutepeso.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\rokesoza.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\soveveje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\sumonibe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\DataBaseNew.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2006_09_21_16_32_41.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2006_09_21_16_32_42.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2006_09_21_16_33_11.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2006_09_21_16_33_39.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2006_09_22_12_57_43.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:26 AM, on 23/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Mikey\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theanimalrescuesite.com/clickTo...hankyou_sitenav
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231263526109
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O20 - AppInit_DLLs: xaxzfa.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9201 bytes

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2009 - 11:04 AM

Please download a-squared Free.
  • Follow all the instructions given by the installer.
  • Once installed, the a-squared Updater will automatically start. Downloading updates will take some time.
  • Please go to Start > Programs > a-squared Free and click a-squared StartCenter.
  • Click Scan your computer for malware infections.
  • Make sure all three setting options are checked. Click Scan selected folders. The scan will start.
  • Click Save HTML-Report. Save the report to somewhere convenient for you to remember the location such as your desktop.
  • If malware is found, click the button Remove Selected Malware.
  • Please post the log from a-squared Free and a new HijackThis log.
To continue to use a-squared Free, you will need to use the a-squared Updator to manually update the program. Click Security Status > Update Now. The a-squared Free program contains only the basic scanner. Background Guard, Automatic Updates, Scheduled Scans and HiJackFree are only available with the a-squared Anti-Malware ("pay for use") software.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 23 March 2009 - 02:23 PM

Downloaded a-squared free (first downloaded the full version free 30 day trial by mistake, then went back and got the actual a-squared free), ran Scan PC. Found several "high risk" files (boxes were checked), and many med - low risk cookies and traces (boxes not checked). Clicked on "Delete selected objects". Below is the log from a-squared as well as a new HJT log.

Please advise next step.

Tks,

a-squared Free - Version 4.0
Last update: 23/03/2009 12:29:02 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\
Scan archives: On
Heuristics: Off
ADS Scan: On

Scan start: 23/03/2009 12:31:12 PM

c:\program files\mediaring talk detected: Trace.Directory.Aureate!A2
c:\program files\common files\gmt detected: Trace.Directory.Claria.CommonComponents!A2
c:\program files\clearsearch detected: Trace.Directory.2ndThought!A2
c:\program files\common files\gmt\data detected: Trace.Directory.Gator!A2
c:\program files\lycos detected: Trace.Directory.LycosSidesearch!A2
c:\documents and settings\mikey\application data\registry cleaner detected: Trace.Directory.RegistryCleaner!A2
c:\program files\registry cleaner trial detected: Trace.Directory.RegistryCleaner!A2
c:\program files\registry cleaner trial\soref.dll detected: Trace.File.Registry Cleaner 4.0!A2
c:\documents and settings\mikey\application data\registry cleaner\regclean.ini detected: Trace.File.Registry Cleaner 4.0!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\registry cleaner detected: Trace.Registry.RegistryCleaner!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\softwareonline.com\soref\{334cca36-c1f1-4649-8dae-a46e24911e1b} detected: Trace.Registry.RegistryCleaner!A2
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agent --> changed detected: Trace.Registry.SAHAgent!A2
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agent --> slowinfocache detected: Trace.Registry.SAHAgent!A2
Key: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\app management\arpcache\shopathomeselect agent detected: Trace.Registry.ShopAtHomeSelect!A2
Key: HKEY_LOCAL_MACHINE\software\classes\interface\{0f2a4adc-dabf-4980-8db4-19f67d7b1f95} detected: Trace.Registry.SpediaBar!A2
Value: HKEY_CLASSES_ROOT\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpywareBot 3.6!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6434AFDA-BD68-492F-9A46-58E0160BDE6B}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpywareBot 3.6!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Viewpoint\Content Debugger --> SearchBar detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Viewpoint\Content Debugger --> Viewbar Installer detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\.DEFAULT\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-18\Software\Viewpoint\Content Debugger --> Viewpoint Manager detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Viewpoint\Content Debugger --> Viewpoint Manager Installer detected: Trace.Registry.Viewpoint Media Toolbar!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> FirstLaunch detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> ID detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> LastScanFound detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> prevAH detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> prevfh detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> ProblemsFixed detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> ShowNagScreen detected: Trace.Registry.Registry Cleaner 4.0!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\Software\Registry Cleaner\Registry Cleaner\4.0\Settings --> TrialPath detected: Trace.Registry.Registry Cleaner 4.0!A2
c:\windows\system32\dartsock.dll detected: Trace.File.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{0C1F87AE-AE62-11D3-911C-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{371D0743-7A57-11D2-AD5A-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{4F99A075-5227-11D2-AD06-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{B22FE43C-D1E8-432A-A862-9F83D5F04732}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{CA4FC24B-C65C-11D1-AA6F-000000000000}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{DDD136CE-517B-11D2-AD03-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_CLASSES_ROOT\CLSID\{E9D55102-9683-11D2-BA68-0040053687FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0C1F87AE-AE62-11D3-911C-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{371D0743-7A57-11D2-AD5A-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4F99A075-5227-11D2-AD06-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B22FE43C-D1E8-432A-A862-9F83D5F04732}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA4FC24B-C65C-11D1-AA6F-000000000000}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DDD136CE-517B-11D2-AD03-00105A17B608}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9D55102-9683-11D2-BA68-0040053687FE}\InprocServer32 --> ThreadingModel detected: Trace.Registry.SpyPc 8.0!A2
c:\windows\gatorhdplugin.log detected: Trace.File.Claria.CommonComponents!A2
c:\windows\gatorpatch.log detected: Trace.File.Claria.CommonComponents!A2
c:\windows\gatorpdpsetup.log detected: Trace.File.Claria.CommonComponents!A2
c:\windows\gatorsetup.log detected: Trace.File.Claria.CommonComponents!A2
c:\windows\gatoruninstaller_gator.log detected: Trace.File.Claria.CommonComponents!A2
c:\windows\gatoruninstaller_gator_u.log detected: Trace.File.Claria.CommonComponents!A2
c:\windows\gatorgainplugin.log detected: Trace.File.Claria.ewallet!A2
c:\windows\gatorgaininstaller.log detected: Trace.File.Claria.GotSmiley!A2
c:\windows\downloaded program files\hotbar.inf detected: Trace.File.HotBar!A2
Key: HKEY_CLASSES_ROOT\interface\{0f2a4adc-dabf-4980-8db4-19f67d7b1f95} detected: Trace.Registry.2ndThought!A2
Key: HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} detected: Trace.Registry.Claria.CommonComponents!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com detected: Trace.Registry.Claria.CommonComponents!A2
Key: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> gef detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> gmg detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> gmi detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> lastinstall detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> sevt detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> sih detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> siseq detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> sseq detected: Trace.Registry.Claria.CommonComponents!A2
Value: HKEY_LOCAL_MACHINE\software\classes\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c} --> uets detected: Trace.Registry.Claria.CommonComponents!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com detected: Trace.Registry.Claria.CommonComponents!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\general detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\homepageprotection detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\settings detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot\general detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot\security\zone_1 detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot\security\zone_2 detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot\security\zone_3 detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot\security\zone_4 detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot\security detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring\snapshot detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert\monitoring detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\gator.com\websecurealert detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\appinfo\websecurealert detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\gator\dyn\gch detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\gator detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\websecurealert\autoupdate detected: Trace.Registry.Claria.WebSecureAlert!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\websecurealert detected: Trace.Registry.Claria.WebSecureAlert!A2
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Gator.com\Gator\stat --> Guid detected: Trace.Registry.Gator.com Trickler!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\cmeii detected: Trace.Registry.Gator!A2
Key: HKEY_LOCAL_MACHINE\software\gator.com\gator\dyn detected: Trace.Registry.Gator!A2
Value: HKEY_USERS\S-1-5-21-1800764857-618527768-3219183873-1006\software\microsoft\internet explorer\toolbar\shellbrowser --> {b195b3b3-8a05-11d3-97a4-0004aca6948e} detected: Trace.Registry.HotBar!A2
Key: HKEY_CLASSES_ROOT\interface\{205ff73a-ca67-11d5-99dd-444553540013} detected: Trace.Registry.MediaTickets!A2
C:\Documents and Settings\Mikey\Cookies\mikey@advertising[1].txt detected: Trace.TrackingCookie.advertising!A2
C:\Documents and Settings\Mikey\Cookies\mikey@atdmt[2].txt detected: Trace.TrackingCookie.atdmt!A2
C:\Documents and Settings\Mikey\Cookies\mikey@casalemedia[2].txt detected: Trace.TrackingCookie.casalemedia!A2
C:\Documents and Settings\Mikey\Cookies\mikey@com[1].txt detected: Trace.TrackingCookie.com!A2
C:\Documents and Settings\Mikey\Cookies\mikey@counter[1].txt detected: Trace.TrackingCookie.count!A2
C:\Documents and Settings\Mikey\Cookies\mikey@data.coremetrics[1].txt detected: Trace.TrackingCookie.data.coremetrics!A2
C:\Documents and Settings\Mikey\Cookies\mikey@doubleclick[1].txt detected: Trace.TrackingCookie.doubleclick!A2
C:\Documents and Settings\Mikey\Cookies\mikey@fastclick[1].txt detected: Trace.TrackingCookie.fastclick!A2
C:\Documents and Settings\Mikey\Cookies\mikey@media.adrevolver[1].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Mikey\Cookies\mikey@mediaplex[2].txt detected: Trace.TrackingCookie.media!A2
C:\Documents and Settings\Mikey\Cookies\mikey@realmedia[1].txt detected: Trace.TrackingCookie.realmedia!A2
C:\Documents and Settings\Mikey\Cookies\mikey@statse.webtrendslive[2].txt detected: Trace.TrackingCookie.statse.webtrendslive!A2
C:\Documents and Settings\Mikey\Cookies\mikey@tribalfusion[1].txt detected: Trace.TrackingCookie.tribalfusion!A2
C:\Documents and Settings\Mikey\Cookies\mikey@zedo[1].txt detected: Trace.TrackingCookie.zedo!A2
C:\Documents and Settings\Mikey\My Documents\ACT\Ccregmod.exe detected: Virus.Win32.Tolone!IK
C:\Program Files\SoftwareOnline\soproc.exe detected: Riskware.AdWare.Mywebsearch!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132784.dll detected: Virus.Win32.Monder!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132786.dll detected: Trojan.Win32.Stuh!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132787.dll detected: Trojan.Win32.Stuh!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132788.dll detected: Trojan.Win32.Vundo!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132789.dll detected: Virus.Win32.Monder!IK
C:\WINDOWS\SYSTEM32\ActiveScan\imscan.dll detected: Virus.Win32.Kuang2!IK
C:\WINDOWS\SYSTEM32\pahekuve.dll detected: Trojan.Win32.Vundo!IK
C:\WINDOWS\SYSTEM32\tkpkix.dll detected: Trojan.Win32.Vundo!IK
C:\WINDOWS\SYSTEM32\viheheji.dll detected: Packed.Win32.Mondera!IK
C:\WINDOWS\SYSTEM32\Xcite2.exe detected: AdWare.F1Organizer!IK

Scanned

Files: 182994
Traces: 626620
Cookies: 201
Processes: 43

Found

Files: 12
Traces: 91
Cookies: 15
Processes: 0
Registry keys: 0

Scan end: 23/03/2009 2:06:46 PM
Scan time: 1:35:34

C:\WINDOWS\SYSTEM32\Xcite2.exe Deleted AdWare.F1Organizer!IK
C:\WINDOWS\SYSTEM32\viheheji.dll Deleted Packed.Win32.Mondera!IK
C:\WINDOWS\SYSTEM32\ActiveScan\imscan.dll Deleted Virus.Win32.Kuang2!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132788.dll Deleted Trojan.Win32.Vundo!IK
C:\WINDOWS\SYSTEM32\pahekuve.dll Deleted Trojan.Win32.Vundo!IK
C:\WINDOWS\SYSTEM32\tkpkix.dll Deleted Trojan.Win32.Vundo!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132786.dll Deleted Trojan.Win32.Stuh!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132787.dll Deleted Trojan.Win32.Stuh!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132784.dll Deleted Virus.Win32.Monder!IK
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1716\A0132789.dll Deleted Virus.Win32.Monder!IK
C:\Documents and Settings\Mikey\My Documents\ACT\Ccregmod.exe Deleted Virus.Win32.Tolone!IK

Deleted

Files: 11
Traces: 0
Cookies: 0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:49 PM, on 23/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Documents and Settings\Mikey\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.theanimalrescuesite.com/clickTo...hankyou_sitenav
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;*.local
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-19\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\inetrepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1231263526109
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O20 - AppInit_DLLs: xaxzfa.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9621 bytes

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 23 March 2009 - 05:35 PM

Step 1

Please download ComboFix.
Alternate Link 1
Alternate Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop.
  • Double click on ComboFix and follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  • After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware.
    Click 'No' to exit.

  • Click Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
  • ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
  • ComboFix disconnects your machine from the Internet. The connection is automatically restored before ComboFix completes its run. If ComboFix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Please post:
  • C:\ComboFix.txt (the log from ComboFix)
Step 2

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 3

Ensure that you have the latest version of Adobe® Reader®. If you do not have the latest version, you may want to download the latest version, Adobe® Reader® 9.

Step 4

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.
  • Please download the ATF-Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Check the boxes to the left of:
    • Windows Temp
    • Current User Temp
    • All Users Temp
    • Temporary Internet Files
    • Prefetch (Windows XP) only
    • Java Cache
  • The rest are optional - if you want to remove them all, check Select All.
  • Click the Empty Selected button.
  • When you get the Done Cleaning message, click OK.
  • Follow the same steps for Firefox or Opera. You have the option of checking No if you want to save your passwords.
  • Click Exit on the Main menu to close the program.
Step 5

In Normal Mode, run an online malware check from at least two and preferably three (one may catch something that another one may not) of the following sites
BitDefender
Computer Associates Online Virus Scan
Kaspersky Online Virus Scanner
McAfee FreeScan
Panda's ActiveScan
Trend Micro™ HouseCall
Windows Live Safety Center Free Online Scan
WindowSecurity.com TrojanScan
When you have completed the scans, if you get a report of files that cannot be cleaned / deleted, make a note of the file location of anything that cannot be cleaned / deleted. Please edit the log(s) and remove:
  • items listed as "Object is locked skipped"
  • items reported that are in a quarantine folder
Please post the edited list in your next reply.

Step 6

Please download Spybot-S&D©® and install Spybot-S&D©® .
  • Be sure to UNCHECK TeaTimer when presented with the option to install. You can enable it after you are clean.
  • Run Spybot-S&D©® , go to the Menu Bar at the top choose Mode and make certain that "Default mode" has a check mark beside it.
  • Click the button "Search for Updates".
  • If any updates are found, install them by placing a check mark next to each one and clicking "Download Updates".
  • If you encounter any error messages while downloading the updates, manually download them from here.
  • Click on "Immunize". When it detects what has or has not been blocked, block all remaining items by clicking the green plus sign next to immunize at the top.
  • Click the button "Check for Problems".
  • When Spybot-S&D©® is complete, it will be showing RED entries, bold BLACK entries and GREEN entries in the window.
  • Make certain there is a check mark beside all of the RED entries ONLY.
  • Choose "Fix Selected Problems" and allow Spybot-S&D©® to fix the RED entries.
  • REBOOT to complete the scan and clear memory.
Note: After Windows loads, Spybot-S&D©® may run again to clean some files that it could not clean during the prior session. Follow the same procedure.

Step 7
  • Please download Ad-Aware 2008 Free to your desktop. The Ad-Aware 2008 Free installation file will be aaw2008.msi or aaw2008.exe.
  • Double-click the file and follow the on-screen instructions in the Installation Wizard to install.
  • When the Please Enter Your License Information screen appears, click Cancel and Ad-Aware 2008 Free will be installed.
  • When the Ad-Aware 2008 Has Been Successfully Installed Screen appears, click Finish to complete the installation and to launch Ad-Aware 2008 Free.
  • The Status screen will appear. You will see four sections.
    • System Protection Status section where you will see Real Time Protection with a check in the Off dialog box and Automatic Updates with a check in the On dialog box.
    • Update Status section
    • System Scan section
    • License Status section where you will see that the Type: will be Free Edition and License Expires in: Never.
  • In the list on the left of the screen, click Scan. You will be given a choice of Smart Scan, Full Scan, and Custom Scan. (Scheduler on the right of the screen is only available in Ad-Aware 2008 Plus and Ad-Aware Pro.)
  • In the list on the left of the screen, click Settings > Scanning tab. Use the default settings unless you see some changes that you want to make.
  • In the list on the left of the screen, click Status. In the System Scan section, click Scan Now.
  • When the scan finishes, the Critical Objects tab window appears.
  • Under Scan Results, you will see the list of Critical Objects that Ad-Aware 2008 Free found. You are given three choices, Add to ignore, Quarantine, Remove, and System Restore. You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If Critical Objects are found, select all objects found (right click anywhere in the list of found objects and click "Select All Objects").
  • Click Remove.
  • If no Critical Objects are found, click the Privacy Objects tab.
  • If there are Privacy Objects listed, select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Select Add to ignore or Remove..
  • Click Remove.
  • If no Privacy Objects are found, click the Log File tab to see the statistics of the Ad-Aware 2008 Free scan.
  • Click Finish.
  • The next screen shows you the Scan Summary in the left panel and System Restore in the right panel.
    • You may choose to create a System Restore Point prior to removing any objects that you are unsure of removing or after a scan when you know the system is clean. If you choose to create a System Restore Point, click Set.
    • You may want to export the results Click Export and save the log on your computer .
    • Click Scan Again to repeat the scan.
  • You will be returned to the Status screen. Click on the X in the upper right corner to exit Ad-Aware 2008 Free.
Step 8

I recommend using Spyware Blaster.
  • Please download SpywareBlaster and save it to your desktop.
  • Double click on it to install the program.
  • Follow the prompts and choose the default locations when installing the program.
  • When the program is installed, it will place an icon on your desktop.
  • Double click on the SpywareBlaster icon and you will be presented with a brief tutorial. On the first page of this tutorial, you will see some of the SpywareBlaster features
  • Click on the Next button to proceed to the second page of the tutorial.
  • If you want to purchase the software, then you should select Automatic Updating. If you do not plan on purchasing the software, then you should select the option for Manual Updating. Press the Next button.
  • At the next screen, click Finish.
  • At the next screen, Protection Status, click Enable All Protection.
  • Click Download Latest Protection Updates. This will ensure that SpywareBlaster has the latest definitions so that it can protect your browser more efficiently. You should update SpywareBlaster regularly, as much as every few days, in order to provide the best protection. Each time you update, be sure to click Enable All Protection.
Step 9
  • Please download SUPERAntiSpyware (SAS) - SUPERAntiSpyware Free Version For Home Users
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options, make sure the following are checked:
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software, click Scan your computer.
  • On the left, check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information, please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose Copy.
    • Click Close and Close again to exit the program.
  • Please post that information with a new HijackThis log.
Step 10

Check your computer with anti-rootkit applications. I recommend avast! antirootkit or Trend Micro RootkitBuster.

Step 11

Check to see if you have insecure applications with
Secunia Software Inspector.

Step 12
  • According to your Internet connection, please disconnect from the Internet. Close ALL browser windows (including this one).
    • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
    • Turn your modem off.
    • Disconnect your modem cable from your computer.
  • Turn the device off for Hand-held wireless connections.
  • Exit all processes and items in your System tray.
Step 13

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.
Please disable the following program(s):

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.
  • Right click on the icon in your System Tray.
  • Click Exit
  • Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Step 14

askBar.dll (Ask Toolbar) process can be removed to free up resources without compromising system performance. http://vil.nai.com/vil/content/v_146646.htm

This software is not a virus or a Trojan. It is detected as a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

It is advised that you uninstall this program to protect your privacy and computer security and to free up necessary resources. To uninstall the AskToolbar.
  • Click Start > Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight Ask Toolbar , click Remove.
  • Close the Add or Remove Programs and the Control Panel windows.
  • Using Windows Explorer (Windows key+e), search for the Ask Toolbar folder. If the program folder is still there, select/highlight the Ask Toolbar folder. DELETE it. (File > Delete.) If Windows is not installed on the C drive, replace C:\ with the appropriate drive letter.
  • Close Windows Explorer.
There is a Video showing how to uninstall a program (Grinler) detailing how to add or remove program in Windows for those who find a visual aid appealing.Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe


Step 15

Boot into Safe Mode using instructions in previous post.

Step 16

NOTE: To avoid the risk of any of the files or folders not being found due to their having the Hidden attribute, go to My Computer (Windows key+e).
  • Click Tools > Folder Options > View.
  • Under Advanced Settings > Files and Folders > Hidden files and folders, first make sure that Show hidden files and folders has a dot in the circle before it which indicates that hidden files and folders are visible.
Step 17

Still in Safe Mode, please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O4 - HKUS\S-1-5-19\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yuparumasa] Rundll32.exe "C:\WINDOWS\system32\wuhomuro.dll",s (User 'NETWORK SERVICE')
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O20 - AppInit_DLLs: xaxzfa.dll


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 18

Still in Safe Mode, use Windows Explorer, (My Computer (Windows key+e).
File/folder location is indicated by C (or the name of the drive you are using) C:\name of the folder\name of file. Search for the following files/folders and DELETE the following Folders indicated in BLUE. (Do not worry if they are not there):

C:\WINDOWS\system32\ wuhomuro.dll

Step 19

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 20

Please run HijackThis in Normal Mode and post:
  • the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  • the log from ComboFix
  • the log from SUPERAntiSpyware
  • a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 APL23

APL23
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Local time:02:56 PM

Posted 24 March 2009 - 08:56 PM

Step 1 completed, here is the ComboFix log, I'll continue to step 2, 3, 4, etc. and post again as directed:

ComboFix 09-03-23.01 - Mikey 2009-03-24 20:45:04.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.249 [GMT -5:00]
Running from: c:\documents and settings\Mikey\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\program files\SoftwareOnline
c:\program files\SoftwareOnline\soproc.exe
c:\windows\Downloaded Program Files\hotbar.inf
c:\windows\Downloaded Program Files\rave
c:\windows\Downloaded Program Files\rave\avirexe.vdm
c:\windows\Downloaded Program Files\rave\avirscr.vdm
c:\windows\Downloaded Program Files\rave\base.vdm
c:\windows\Downloaded Program Files\rave\daily.vdm
c:\windows\Downloaded Program Files\rave\daily.vdt
c:\windows\Downloaded Program Files\rave\filters.vdm
c:\windows\Downloaded Program Files\rave\kernel.vdk
c:\windows\Downloaded Program Files\rave\keyring.vdk
c:\windows\Downloaded Program Files\rave\mapi_vdm.vdm
c:\windows\Downloaded Program Files\rave\modules.vdk
c:\windows\Downloaded Program Files\rave\rav8def.vdm
c:\windows\Downloaded Program Files\rave\rufs.vdm
c:\windows\Downloaded Program Files\rave\rufsplg.vdm
c:\windows\Downloaded Program Files\rave\unarch.vdm
c:\windows\Downloaded Program Files\rave\unmail.vdm
c:\windows\Downloaded Program Files\rave\unpack.vdm
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\fad.sys
c:\windows\system32\Sp3.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-25 to 2009-03-25 )))))))))))))))))))))))))))))))
.

2009-03-23 12:25 . 2009-03-23 12:26 <DIR> d-------- c:\program files\a-squared Free
2009-03-23 12:11 . 2009-03-23 12:17 <DIR> d-------- c:\program files\a-squared Anti-Malware
2009-03-23 09:08 . 2009-03-23 09:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 09:08 . 2009-03-23 09:08 <DIR> d-------- c:\documents and settings\Mikey\Application Data\Malwarebytes
2009-03-23 09:08 . 2009-03-23 09:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-23 09:08 . 2009-02-11 10:19 38,496 --a------ c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2009-03-23 09:08 . 2009-02-11 10:19 15,504 --a------ c:\windows\SYSTEM32\DRIVERS\mbam.sys
2009-03-21 15:27 . 2009-03-21 15:27 1,995 ---hs---- c:\windows\SYSTEM32\jobiwaje.exe
2009-03-19 13:34 . 2009-03-19 13:34 <DIR> d-------- c:\program files\Trend Micro
2009-03-18 20:15 . 2009-03-18 20:15 <DIR> d-------- C:\VundoFix Backups
2009-03-13 13:44 . 2009-03-13 13:44 1,995 ---hs---- c:\windows\SYSTEM32\mikolobe.exe
2009-03-05 14:04 . 2009-03-05 14:04 1,995 ---hs---- c:\windows\SYSTEM32\yujopona.exe
2009-03-04 19:11 . 2009-03-04 19:11 8,212 --a------ c:\windows\mfebcdata
2009-03-04 09:18 . 2009-03-04 09:19 <DIR> d-------- c:\program files\Cobian Backup 8
2009-03-04 09:14 . 2009-03-04 09:14 <DIR> d-------- c:\program files\Cobiansoft
2009-03-03 17:05 . 2009-03-03 17:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Citrix
2009-03-02 17:54 . 2009-03-02 17:55 <DIR> d-------- c:\documents and settings\Mikey\Application Data\Move Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-19 03:20 --------- d-----w c:\documents and settings\Mikey\Application Data\Azureus
2009-03-05 13:01 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-05 00:14 --------- d-----w c:\program files\Common Files\McAfee
2009-03-05 00:13 --------- d-----w c:\program files\McAfee
2009-03-04 03:19 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-07 16:29 --------- d-----w c:\program files\Vuze
2009-01-22 05:52 129,784 ------w c:\windows\SYSTEM32\pxafs.dll
2009-01-22 05:52 118,520 ------w c:\windows\SYSTEM32\pxinsi64.exe
2009-01-22 05:52 116,472 ------w c:\windows\SYSTEM32\pxcpyi64.exe
2008-11-21 17:25 61,224 ----a-w c:\documents and settings\Mikey\GoToAssistDownloadHelper.exe
2008-09-02 21:50 3,932 ----a-w c:\documents and settings\Mikey\Application Data\LMLayout.dat
2008-09-02 21:50 268 ----a-w c:\documents and settings\Mikey\Application Data\LMCPaper.dat
2003-08-27 19:19 36,963 -c--a-r c:\program files\Common Files\SM1updtr.dll
2002-01-18 12:52 3,932 ------w c:\documents and settings\LocalService\Application Data\LMLayout.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-02 16:44 325000 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-02 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-02 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2002-01-07 401496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-01-05 180269]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-02-02 1695744]
"Sunkist2k"="c:\program files\Multimedia Card Reader\shwicon2k.exe" [2005-02-22 131072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"MsgCenterExe"="c:\program files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" [2005-01-05 69688]
"a-squared"="c:\program files\a-squared Anti-Malware\a2guard.exe" [2009-02-25 2799760]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 c:\windows\LOGI_MWX.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\MSMSGS.EXE" [2008-04-13 1695232]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2003-06-30 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2004-08-24 573440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= xaxzfa.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 7.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 7.0 Tray Icon.lnk
backup=c:\windows\pss\AOL 7.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
??? [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra------ 2002-08-14 18:22 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2002-01-07 15:24 401496 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-13 13:53 114688 c:\windows\SYSTEM32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a--c--- 2003-07-25 09:14 188416 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb09.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
--a------ 2002-04-04 15:01 335872 c:\windows\SYSTEM32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
--a--c--- 2002-04-04 15:04 49152 c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-13 14:07 155648 c:\windows\SYSTEM32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NewsUpd]
--a--c--- 2000-08-04 01:50 44032 c:\program files\Creative\News\NewsUpd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2004-06-03 21:05 32881 c:\program files\Java\j2re1.4.2_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-01-05 19:48 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 08:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-11-10 460168]
S3 WRVS4400N_Sp50;WRVS4400N_Sp50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\WRVS4400N_Sp50.sys [2006-11-28 27072]
.
Contents of the 'Scheduled Tasks' folder

2009-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2004-03-19 c:\windows\Tasks\HP DArC Task #Hewlett-Packard#7900#CN39A321N5EX.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe []

2003-07-03 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\System32\OOBE\OOBEBALN.EXE [2008-04-13 19:12]

2009-03-25 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
MSConfigStartUp-AdaptecDirectCD - c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
MSConfigStartUp-CMESys - c:\program files\Common Files\CMEII\CMESys.exe
MSConfigStartUp-EanthologyApp - c:\program files\Common Files\eAcceleration\eanthology.exe
MSConfigStartUp-HP Component Manager - c:\program files\HP\hpcoretech\hpcmpmgr.exe
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
MSConfigStartUp-MCAgentExe - c:\progra~1\McAfee.com\Agent\McAgent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe
MSConfigStartUp-mmtask - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
MSConfigStartUp-Register MediaRing Talk - c:\program files\MediaRing Talk\register.exe
MSConfigStartUp-REGSHAVE - c:\program files\REGSHAVE\REGSHAVE.EXE
MSConfigStartUp-RHSI SHS - c:\program files\Rogers\SelfHealing\SHS.exe
MSConfigStartUp-Share-to-Web Namespace Daemon - c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
MSConfigStartUp-StopSignStatus - c:\program files\Common Files\eAcceleration\Installer\stopsinfo.dll
MSConfigStartUp-Update Manager - c:\program files\Rogers\Update Manager\UpdateManager.exe
MSConfigStartUp-VirusScan Online - c:\progra~1\mcafee.com\vso\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\mcafee.com\vso\mcmnhdlr.exe
MSConfigStartUp-webscan - c:\program files\Acceleration Software\Anti-Virus\stopsignav.exe
MSConfigStartUp-zBrowser Launcher - c:\program files\Logitech\iTouch\iTouch.exe
MSConfigStartUp-zzzHPSETUP - E:\Setup.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theanimalrescuesite.com/clickToGive/home.faces?siteId=3&link=ctg_ars_home_from_ars_thankyou_sitenav
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dellnet.com/
uInternet Settings,ProxyOverride = 127.0.0.1;hxxp://localhost;*.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\office
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 20:47:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2009-03-24 20:50:50
ComboFix-quarantined-files.txt 2009-03-25 01:49:32

Pre-Run: 12,608,909,312 bytes free
Post-Run: 12,906,332,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

241 --- E O F --- 2009-02-26 05:16:39

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:02:56 PM

Posted 25 March 2009 - 10:00 AM

Thank you. Please continue with the steps. Let me know if you have any questions.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users