Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My HijackThis Log - I'm infected


  • This topic is locked This topic is locked
7 replies to this topic

#1 Thormix

Thormix

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 25 March 2009 - 11:53 PM

Hi I'm new to all this so please LMK how I can help you, to help me fix my PC.

First off, I was running F-PROT Anti-Virus with the latest defs and thought I was protected, but somehow I got infected with some malware/virus stuff. F-PROT didn't warn me about anything malicious and has since been removed because I don't trust it anymore. I'm installed AVG 8.5 (Free Edition) right away. When I installed AVG 8.5 Free it found a few Trojan style viruses and reported that it removed them successfully, which it obviously hasn't.

The symptoms of my infection are that I have slower then normal page load times in FireFox, the whole internet seems to be running slower like it is doing stuff in the background , and most noticeably I am getting pop up windows in both IE and Firefox mostly advertising Anit-Virus/Anti-Malware softeare. (Kinda ironic and infuriating). I get these popups even when no browser is actively running.

I have run a full scan with AVG and TrenMicro's HouseCall, but so far I have been unable to eliminate these FireFox and IE pop ups.
So far everything I have tried has not been successful, so I'm asking you (the expert) to help me get my PC running happily again.

Please help. Thanks

Here Are The Logs

1 - HijackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:15:40 PM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Synergy\synergys.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SlySoft\AnyDVD\_AnyDVDtray.exe
C:\Program Files\eBoostr\eBoostrCP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: {8ceb2e15-719d-bccb-bef4-7a0464a2f5c6} - {6c5f2a46-40a7-4feb-bccb-d91751e2bec8} - C:\WINDOWS\system32\placyw.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {b9201cca-7dc7-445e-86b1-e77ef4833771} - C:\WINDOWS\system32\zobuneto.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [40b8cb5d] rundll32.exe "C:\WINDOWS\system32\wutekimo.dll",b
O4 - HKLM\..\Run: [CPM438bf8c1] Rundll32.exe "c:\windows\system32\hipufefu.dll",a
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224829675237
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\lelujazo.dll placyw.dll c:\windows\system32\hipufefu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hipufefu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hipufefu.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - Unknown owner - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe

--
End of file - 8104 bytes

2 - AVG Resident Shield Log

"Trojan horse SHeur2.WVR";"C:\System Volume Information\_restore{C19EC757-3C7F-430F-B225-3057306E76CA}\RP191\A0029072.dll";"Infected";"3/25/2009, 6:27:53 AM";"file";"C:\WINDOWS\system32\cidaemon.exe"
"Trojan horse Downloader.Swizzor.JVP";"C:\System Volume Information\_restore{C19EC757-3C7F-430F-B225-3057306E76CA}\RP191\A0029071.exe";"Infected";"3/25/2009, 6:08:59 AM";"file";"C:\WINDOWS\system32\cidaemon.exe"
"Trojan horse SHeur2.WVR";"C:\System Volume Information\_restore{C19EC757-3C7F-430F-B225-3057306E76CA}\RP191\A0029066.dll";"Moved to Virus Vault";"3/25/2009, 3:30:29 AM";"file";"C:\WINDOWS\system32\cidaemon.exe"
"Trojan horse SHeur2.WVR";"C:\System Volume Information\_restore{C19EC757-3C7F-430F-B225-3057306E76CA}\RP191\A0029049.dll";"Moved to Virus Vault";"3/25/2009, 3:21:36 AM";"file";"C:\WINDOWS\system32\cidaemon.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:22:17 AM";"file";"C:\WINDOWS\system32\rundll32.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:19:59 AM";"file";"C:\WINDOWS\system32\spoolsv.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:19:34 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:19:27 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:19:27 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:19:21 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:19:15 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:19:07 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:18:55 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:18:55 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:18:51 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:18:42 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:18:39 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:18:36 AM";"file";"C:\WINDOWS\system32\logonui.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:18:31 AM";"file";"C:\PROGRA~1\AVG\AVG8\avgemc.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:18:29 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:18:25 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:18:14 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:18:11 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:17:48 AM";"file";"C:\Program Files\SlySoft\AnyDVD\_AnyDVDtray.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:17:44 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:17:41 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:17:35 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:17:33 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:17:27 AM";"file";"C:\WINDOWS\system32\dumprep.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:17:11 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:17:10 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:17:06 AM";"file";"C:\Program Files\Mozilla Firefox\firefox.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:17:03 AM";"file";"C:\WINDOWS\system32\msiexec.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:16:53 AM";"file";"C:\WINDOWS\system32\rundll32.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:16:25 AM";"file";"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\rihinopu.dll";"Infected";"3/25/2009, 2:16:22 AM";"file";"C:\WINDOWS\system32\taskmgr.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:16:22 AM";"file";"C:\WINDOWS\system32\rundll32.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:16:19 AM";"file";"C:\WINDOWS\system32\taskmgr.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:16:18 AM";"file";"C:\WINDOWS\system32\taskmgr.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:16:16 AM";"file";"C:\WINDOWS\system32\CtHelper.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:16:16 AM";"file";"C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\fssf.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:16:11 AM";"file";"C:\Program Files\Synergy\synergys.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:16:06 AM";"file";"C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:15:54 AM";"file";"C:\WINDOWS\explorer.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:15:45 AM";"file";"C:\WINDOWS\system32\CtHelper.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:15:43 AM";"file";"C:\Program Files\eBoostr\eBoostrCP.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Infected";"3/25/2009, 2:15:40 AM";"file";"C:\Program Files\AVG\AVG8\avgcmgr.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:15:14 AM";"file";"C:\WINDOWS\system32\CtHelper.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:15:03 AM";"file";"C:\Program Files\SlySoft\AnyDVD\_AnyDVDtray.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\zobuneto.dll";"Infected";"3/25/2009, 2:14:32 AM";"file";"C:\Program Files\SlySoft\AnyDVD\_AnyDVDtray.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Moved to Virus Vault";"3/25/2009, 2:13:52 AM";"file";"C:\Program Files\AVG\AVG8\fixcfg.exe"
"Trojan horse SHeur2.WVR";"C:\WINDOWS\system32\lelujazo.dll";"Moved to Virus Vault";"3/25/2009, 2:13:39 AM";"file";"C:\PROGRA~1\AVG\AVG8\avgnsx.exe"

3 - AVG Web Shield Log

"Exploit Rogue spyware scanner";"promotion-offer.com/srm/etc/config.js";"";"3/25/2009, 2:56:15 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"
"Exploit Rogue spyware scanner";"promotion-offer.com/srm/adv/142/?a=cspvm-sst-oats-sst&l=370&f=cs_13718320084&ex=1&ed=2⊂=csp&prodabbr=USRM";"";"3/25/2009, 2:56:14 PM";"file";"C:\Program Files\Internet Explorer\iexplore.exe"


Thank you Again for any help you can provide.


Attached you will find these Files-
1 - HijackThis Log
2 - AVG Resident Shield Log
3 - AVG Web Shield Log

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:30 AM

Posted 26 March 2009 - 12:13 AM

Hello Thormix,

Posted Image

Your computer has a nasty case of Vundo. Let's make it happy again. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Thormix

Thormix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 26 March 2009 - 12:36 AM

Thank you so so much for your quick response teacup61 !

I followed you instruction to the "T" and everything seemed to go smoothly.

Here is Step #3, my reply data.

a)

ComboFix 09-03-25.02 - Daniel Tenenbaum 2009-03-25 22:20:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.432 [GMT -7:00]
Running from: c:\downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\DANIEL~1\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\DANIEL~1\LOCALS~1\Temp\tmp2.tmp
c:\windows\system32\Cache
c:\windows\system32\helitemo.dll
c:\windows\system32\hipufefu.dll
c:\windows\system32\omiketuw.ini
c:\windows\system32\placyw.dll
c:\windows\system32\wutekimo.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-25 21:12 . 2009-03-25 21:12 <DIR> d-------- c:\program files\Trend Micro
2009-03-25 18:36 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-25 02:14 . 2009-03-25 15:58 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-25 02:11 . 2009-03-25 14:50 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-25 02:11 . 2009-03-25 02:11 <DIR> d-------- c:\program files\AVG
2009-03-25 02:11 . 2009-03-25 02:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-25 02:11 . 2009-03-25 02:11 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-25 02:11 . 2009-03-25 02:11 107,912 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-25 02:11 . 2009-03-25 02:11 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-11 03:00 . 2008-04-13 17:12 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-04 15:52 . 2000-01-19 00:45 69,632 --a------ c:\windows\system32\CrcCtrl.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 04:21 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-26 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\eboostr
2009-03-26 02:59 --------- d-----w c:\documents and settings\Daniel Tenenbaum\Application Data\HouseCall 6.6
2009-03-25 22:25 --------- d-----w c:\documents and settings\All Users\Application Data\FRISK Software
2009-03-21 22:38 --------- d-----w c:\documents and settings\Daniel Tenenbaum\Application Data\U3
2009-03-21 02:34 --------- d-----w c:\documents and settings\Daniel Tenenbaum\Application Data\Azureus
2009-03-08 11:54 --------- d-----w c:\program files\Azureus
2009-02-08 01:12 --------- d-----w c:\program files\eMule
2008-11-08 00:21 952 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-12-08 8704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 437008]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-25 1932568]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-30 113664]
eBoostr Control Panel.lnk - c:\program files\eBoostr\eBoostrCP.exe [2008-05-19 978552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-25 02:11 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 03:08 483328 c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2005-09-25 20:11 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-09-17 23:55 13574144 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-09-17 23:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-10-29 20:21 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 17:45 313472 c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2007-04-09 13:32 19456 c:\windows\system32\CtHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2007-04-09 13:32 19968 c:\windows\system32\Ctxfihlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iRacingService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\eBoostr\\EBstrSvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 eBoost;eBoostr caching filter driver;c:\windows\system32\drivers\EBoost.sys [2008-05-19 94840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-25 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-25 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-03-25 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-25 298264]
R2 EBOOSTRSVC;eBoostr Service;c:\program files\eBoostr\EBstrSvc.exe [2008-05-19 340600]
R2 Synergy Server;Synergy Server;c:\program files\Synergy\synergys.exe [2006-04-02 733184]
S4 iRacingService;iRacing helper service;e:\iracing\iRacing\iRacingService.exe --> e:\iracing\iRacing\iRacingService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\O]
\Shell\AutoRun\command - O:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{200c075f-1524-11de-bf1e-00e018f6d944}]
\Shell\AutoRun\command - m:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - m:\system\viewer\FlipVideoforPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2ac8cc9-d07d-11dd-bef0-00e018f6d944}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 12:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6c5f2a46-40a7-4feb-bccb-d91751e2bec8} - c:\windows\system32\placyw.dll
BHO-{b9201cca-7dc7-445e-86b1-e77ef4833771} - c:\windows\system32\zobuneto.dll
MSConfigStartUp-40b8cb5d - c:\windows\system32\wutekimo.dll
MSConfigStartUp-bilejawomi - c:\windows\system32\rihinopu.dll
MSConfigStartUp-CPM438bf8c1 - c:\windows\system32\hipufefu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Daniel Tenenbaum\Application Data\Mozilla\Firefox\Profiles\qe1zfwxr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 22:25:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\FolderSize\FolderSizeSvc.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Alcohol Soft\Alcohol 120\Alcohol.exe
c:\program files\SlySoft\AnyDVD\_AnyDVDtray.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-03-25 22:27:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-26 05:27:39

Pre-Run: 105,024,540,672 bytes free
Post-Run: 105,382,354,944 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT /NOEXECUTE=OPTIN

186 --- E O F --- 2009-03-13 10:02:12



//------------------------------------------------------ HijackThis Log----------------------------------------------------------------------------------------------------------------

b )

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:00 PM, on 3/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\eBoostr\EBstrSvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Synergy\synergys.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SlySoft\AnyDVD\_AnyDVDtray.exe
C:\Program Files\eBoostr\eBoostrCP.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eBoostr Control Panel.lnk = C:\Program Files\eBoostr\eBoostrCP.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1224829675237
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: eBoostr Service (EBOOSTRSVC) - Unknown owner - C:\Program Files\eBoostr\EBstrSvc.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe

--
End of file - 7354 bytes

Thank you :thumbup2:

Attached Files


Edited by Thormix, 26 March 2009 - 12:39 AM.


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:30 AM

Posted 26 March 2009 - 12:42 AM

You're welcome. :step4:

That looks 3.79 tons better. :thumbup2: :) How is it running please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Thormix

Thormix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 26 March 2009 - 12:55 AM

So far I seems much much better. No pop ups as of writing this.
I would say that whatever ComboFix.exe program did, it did a great job!

Are there any other items that need to be removed/fixed via HijackThis?
Lastly, how can I prevent this from happening again in the future? I thought I was protected with a current Anti-Virus and up to date defs and I still got this "nasty case of Vundo" errr

Thank you big time for your help. Those pop ups can drive a person crazy. lol :thumbup2:

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:30 AM

Posted 26 March 2009 - 01:03 AM

Excellent. :thumbup2: You're most welcome for the help. :step1:

HijackThis looks good, and so does ComboFix. Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Update your Adobe, and make sure ALL old versions of Java are uninstalled. Vundo exploits the old Java, and for whatever reason, Java does not uninstall the old versions when the new ones are put in. :) If you have several old versions you'll also be freeing up as much as a gig of space. :step4:

This is what I tell everyone :

If there are no further problems:

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take acre!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Thormix

Thormix
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 26 March 2009 - 02:19 AM

Thank you again. You are a life saver!!

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:30 AM

Posted 28 March 2009 - 12:02 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users