Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo!grb Trojan removal help.


  • This topic is locked This topic is locked
10 replies to this topic

#1 jetsetred

jetsetred

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 04 April 2009 - 08:55 PM

Hello
Everytime I restart my computer Mcaffee says it has blocked vundo!grb trojan. But I still get a ton of random pop-ups and don't know how to remove the malware. Here are the dds files.

DDS (Ver_09-03-16.01) - NTFSx86
Run by Ryan Bornhoft at 19:42:25.29 on Sat 04/04/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.206 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Documents and Settings\Ryan Bornhoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Ryan Bornhoft\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell/en/side.html?hl=en&client=dell
uSearch Bar = hxxp://www.google.com/hws/sb/dell/en/side.html?hl=en&client=dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell/en/side.html?hl=en&client=dell
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {66195ea2-2af8-4853-a8a0-f0485bf39815} - c:\windows\system32\pogepehe.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\ryan bornhoft\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [wekahemoyi] Rundll32.exe "c:\windows\system32\jetebusu.dll",s
mRun: [64cc4ad8] rundll32.exe "c:\windows\system32\nijufuvu.dll",b
mRun: [CPM67ff7944] Rundll32.exe "c:\windows\system32\sekisahi.dll",a
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\juletetu.dll c:\windows\system32\kabahigo.dll c:\windows\system32\sekisahi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sekisahi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\sekisahi.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli c:\windows\system32\kabahigo.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-8 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-3-8 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-3-8 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-3-8 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-3-8 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-3-8 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-3-8 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-3-8 33832]

=============== Created Last 30 ================

2009-04-04 16:59 <DIR> --d----- C:\VundoFix Backups
2009-04-03 17:11 1,890 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-04-03 17:11 56 ---shr-- c:\windows\system32\CE68745019.sys
2009-04-03 12:15 <DIR> --d----- c:\docume~1\ryanbo~1\applic~1\McAfee
2009-03-15 10:19 <DIR> --d----- c:\program files\PokerStars
2009-03-14 08:24 <DIR> --d----- c:\program files\iPod
2009-03-14 08:24 <DIR> --d----- c:\program files\iTunes
2009-03-14 08:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 16:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Knowledge Adventure
2009-03-13 16:10 101 a------- c:\windows\ka.ini
2009-03-13 16:09 <DIR> --d----- c:\program files\JumpStart World
2009-03-13 16:09 <DIR> --d----- c:\program files\common files\Knowledge Adventure
2009-03-13 12:34 <DIR> --d----- c:\program files\Abbyy FineReader 6.0 Sprint
2009-03-13 12:34 10,235 a------- c:\windows\system32\LexFiles.ulf
2009-03-13 12:34 <DIR> --d----- c:\program files\Dl_cats
2009-03-13 12:33 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-03-13 12:33 25,856 a------- c:\windows\system32\dllcache\usbprint.sys
2009-03-13 12:33 <DIR> --d----- c:\program files\Dell Photo AIO Printer 924
2009-03-13 12:33 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-03-13 12:33 15,104 a------- c:\windows\system32\dllcache\usbscan.sys
2009-03-13 12:33 87,040 a------- c:\windows\system32\wiafbdrv.dll
2009-03-13 12:33 87,040 a------- c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-13 12:33 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-03-13 12:33 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-03-13 12:31 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-13 12:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-11 09:16 <DIR> --d----- c:\program files\Bonjour
2009-03-08 21:27 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-03-08 18:14 12,389 a------- c:\windows\system32\Config.MPF
2009-03-08 18:14 143,360 a------- c:\windows\system32\dunzip32.dll
2009-03-08 18:11 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-03-08 18:11 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-03-08 18:11 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-03-08 18:11 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-03-08 18:11 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-03-08 18:11 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-03-08 18:11 <DIR> --d----- c:\program files\McAfee.com
2009-03-08 18:11 <DIR> --d----- c:\program files\common files\McAfee
2009-03-08 18:11 <DIR> --d----- c:\program files\McAfee
2009-03-08 17:15 <DIR> --d----- c:\program files\Marvell
2009-03-07 23:18 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-07 22:52 4,128 a------- C:\INFCACHE.1
2009-03-07 22:40 <DIR> --d----- c:\program files\Audacity
2009-03-07 22:28 <DIR> --d----- c:\windows\system32\XPSViewer
2009-03-07 22:28 <DIR> --d----- C:\cc7fb08fd029f4cb4408e2a994
2009-03-07 22:28 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-03-07 22:28 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-07 22:28 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-07 22:28 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-03-07 22:28 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-07 22:28 117,760 -------- c:\windows\system32\prntvpt.dll
2009-03-07 22:28 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-07 22:25 <DIR> --d----- c:\docume~1\ryanbo~1\applic~1\Windows Search
2009-03-07 22:25 <DIR> --d----- c:\docume~1\ryanbo~1\applic~1\Windows Desktop Search
2009-03-07 22:25 <DIR> --d----- c:\windows\system32\GroupPolicy
2009-03-07 22:25 <DIR> --d----- c:\program files\Windows Desktop Search
2009-03-07 22:24 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-07 22:23 <DIR> --d----- C:\8d3f72bfe10a3a1fea526421a918
2009-03-07 22:23 <DIR> --d----- C:\0d22e18e1b562e6ae63984b288f5
2009-03-07 22:02 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-07 22:02 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 21:54 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-07 21:43 <DIR> --dsh--- c:\documents and settings\ryan bornhoft\IECompatCache
2009-03-07 21:43 <DIR> --dsh--- c:\documents and settings\ryan bornhoft\PrivacIE
2009-03-07 21:43 <DIR> --dsh--- c:\documents and settings\ryan bornhoft\IETldCache
2009-03-07 21:40 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-07 21:38 <DIR> --d----- c:\windows\ie8updates
2009-03-07 21:37 <DIR> -cd-h--- c:\windows\ie8
2009-03-07 21:36 272,128 -------- c:\windows\system32\dllcache\bthport.sys
2009-03-07 21:35 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-03-07 21:35 79,360 -------- c:\windows\system32\dllcache\iecompat.dll
2009-03-07 21:35 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-07 21:35 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-07 21:35 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-07 21:35 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-07 21:33 203,136 -------- c:\windows\system32\dllcache\rmcast.sys
2009-03-07 21:33 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-07 21:33 333,952 -------- c:\windows\system32\dllcache\srv.sys
2009-03-07 21:33 331,776 -------- c:\windows\system32\dllcache\msadce.dll
2009-03-07 21:33 691,712 -------- c:\windows\system32\dllcache\inetcomm.dll
2009-03-07 21:33 247,326 -------- c:\windows\system32\dllcache\strmdll.dll
2009-03-07 21:33 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2009-03-07 21:33 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2009-03-07 21:26 <DIR> --d----- c:\windows\system32\scripting
2009-03-07 21:26 <DIR> --d----- c:\windows\system32\en
2009-03-07 21:26 <DIR> --d----- c:\windows\system32\bits
2009-03-07 21:26 <DIR> --d----- c:\windows\l2schemas
2009-03-07 21:25 <DIR> --d----- c:\windows\ServicePackFiles
2009-03-07 21:24 <DIR> --d----- c:\windows\network diagnostic
2009-03-07 21:13 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-07 21:12 <DIR> --dsh--- c:\documents and settings\ryan bornhoft\UserData
2009-03-07 21:10 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-07 19:55 <DIR> --d----- c:\windows\system32\appmgmt
2009-03-07 19:53 2 a------- c:\windows\msoffice.ini
2009-03-07 19:50 <DIR> --d----- c:\documents and settings\Ryan Bornhoft
2009-03-07 19:46 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-07 19:46 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-03-07 19:46 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-03-07 19:46 10,368 a------- c:\windows\system32\drivers\hidusb.sys

==================== Find3M ====================

2009-04-04 19:16 61,440 a--sh--- c:\windows\system32\bulikuyi.exe
2009-04-04 07:16 61,440 a--sh--- c:\windows\system32\yozuzejo.exe
2009-04-03 19:16 61,440 a--sh--- c:\windows\system32\guyewijo.exe
2009-04-03 07:16 87,552 a--sh--- c:\windows\system32\sekisahi.dll
2009-04-03 07:16 79,872 a--sh--- c:\windows\system32\nijufuvu.dll
2009-04-03 07:16 61,440 a--sh--- c:\windows\system32\wuvotifa.exe
2009-04-02 09:13 49,152 a--sh--- c:\windows\system32\herutoho.dll
2009-03-31 08:08 50,688 a--sh--- c:\windows\system32\vonibusa.dll
2009-03-08 17:12 265,984 a------- c:\windows\system32\drivers\MRV8335XP.sys
2009-03-07 21:28 88,983 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-15 03:17 636,264 -------- c:\windows\system32\dllcache\iexplore.exe
2009-01-15 03:17 392,040 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-01-15 03:13 5,888,512 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-15 03:06 1,182,720 -------- c:\windows\system32\dllcache\urlmon.dll
2009-01-15 03:06 236,544 -------- c:\windows\system32\dllcache\webcheck.dll
2009-01-15 03:06 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 911,872 -------- c:\windows\system32\dllcache\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:05 193,536 -------- c:\windows\system32\dllcache\msrating.dll
2009-01-15 03:05 109,056 -------- c:\windows\system32\dllcache\occache.dll
2009-01-15 03:05 43,008 -------- c:\windows\system32\dllcache\licmgr10.dll
2009-01-15 03:04 755,200 -------- c:\windows\system32\dllcache\VGX.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:04 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-01-15 03:04 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-01-15 03:02 611,840 -------- c:\windows\system32\dllcache\mstime.dll
2009-01-15 03:01 183,808 -------- c:\windows\system32\dllcache\iepeers.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:01 34,304 -------- c:\windows\system32\dllcache\imgutil.dll
2009-01-15 03:01 348,160 -------- c:\windows\system32\dllcache\dxtmsft.dll
2009-01-15 03:01 46,592 -------- c:\windows\system32\dllcache\pngfilt.dll
2009-01-15 03:01 216,064 -------- c:\windows\system32\dllcache\dxtrans.dll
2009-01-15 03:01 66,560 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 48,128 -------- c:\windows\system32\dllcache\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 03:00 45,568 -------- c:\windows\system32\dllcache\mshta.exe
2009-01-15 02:53 68,608 -------- c:\windows\system32\dllcache\hmmapi.dll
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-15 02:50 156,160 -------- c:\windows\system32\dllcache\msls31.dll
2009-01-02 21:46 61,440 a--sh--- c:\windows\system32\hebazike.exe
2009-01-02 21:46 87,552 a--sh--- c:\windows\system32\hokowoya.dll
2009-01-02 09:13 49,152 a--sh--- c:\windows\system32\jetebusu.dll
2009-01-02 09:13 49,152 a--sh--- c:\windows\system32\kabahigo.dll
2009-01-02 21:46 76,800 a--sh--- c:\windows\system32\lotakine.dll
2009-01-02 09:13 49,152 a--sh--- c:\windows\system32\pogepehe.dll

============= FINISH: 19:43:20.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 jetsetred

jetsetred
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 04 April 2009 - 09:31 PM

After reading searching other posts I have also ran Malwarebytes' Anti-Malware and have ran a report. here is that report.

Malwarebytes' Anti-Malware 1.35
Database version: 1940
Windows 5.1.2600 Service Pack 3

4/4/2009 8:24:31 PM
mbam-log-2009-04-04 (20-24-31).txt

Scan type: Quick Scan
Objects scanned: 83713
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nijufuvu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pogepehe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jetebusu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kabahigo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sekisahi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66195ea2-2af8-4853-a8a0-f0485bf39815} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{66195ea2-2af8-4853-a8a0-f0485bf39815} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{66195ea2-2af8-4853-a8a0-f0485bf39815} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wekahemoyi (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\64cc4ad8 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm67ff7944 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kabahigo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kabahigo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kabahigo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sekisahi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sekisahi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jetebusu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nijufuvu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sekisahi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pogepehe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kabahigo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hebazike.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\herutoho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hokowoya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lotakine.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bulikuyi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuvotifa.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yozuzejo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\guyewijo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 AM

Posted 04 April 2009 - 09:54 PM

Hello jetsetred,

Posted Image

Please don't run anything else unless I ask you to. :thumbup2:

Disable McAfee so this tool will run, please.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 jetsetred

jetsetred
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 05 April 2009 - 11:28 AM

Thank you tea Here are the combofix "log" file and the hijackthis file.
ComboFix 09-04-04.01 - Ryan Bornhoft 2009-04-05 10:19:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.654 [GMT -6:00]
Running from: c:\documents and settings\Ryan Bornhoft\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\harerugo.dll.tmp
c:\windows\system32\majumeja.dll.tmp
c:\windows\system32\mofawege.dll.tmp
c:\windows\system32\retivadi.dll.tmp
c:\windows\system32\sivosari.dll.tmp
c:\windows\system32\vonibusa.dll
c:\windows\system32\yesinize.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 20:13 . 2009-04-04 20:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-04 20:13 . 2009-04-04 20:13 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\Malwarebytes
2009-04-04 20:13 . 2009-04-04 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-04 20:13 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 20:13 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 16:59 . 2009-04-04 16:59 <DIR> d-------- C:\VundoFix Backups
2009-04-03 17:11 . 2009-04-03 17:11 1,890 --ahs---- c:\windows\system32\KGyGaAvL.sys
2009-04-03 17:11 . 2009-04-03 17:11 56 -r-hs---- c:\windows\system32\CE68745019.sys
2009-04-03 12:30 . 2009-04-03 12:30 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee
2009-04-03 12:15 . 2009-04-05 10:14 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\McAfee
2009-03-31 08:50 . 2009-04-03 08:01 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-25 19:45 . 2009-03-25 19:45 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-15 10:19 . 2009-03-30 11:14 <DIR> d-------- c:\program files\PokerStars
2009-03-15 08:00 . 2009-03-15 08:00 <DIR> d--hs---- c:\documents and settings\Laura Massey\PrivacIE
2009-03-15 08:00 . 2009-03-15 08:00 <DIR> d--hs---- c:\documents and settings\Laura Massey\IETldCache
2009-03-15 07:49 . 2009-03-15 07:49 <DIR> d-------- c:\documents and settings\Laura Massey\Application Data\Windows Desktop Search
2009-03-15 07:49 . 2009-03-07 19:57 <DIR> d-------- c:\documents and settings\Laura Massey\Application Data\Gtek
2009-03-15 07:49 . 2006-03-09 18:00 <DIR> d-------- c:\documents and settings\Laura Massey\Application Data\Corel
2009-03-15 07:49 . 2009-03-18 06:57 <DIR> d-------- c:\documents and settings\Laura Massey
2009-03-14 09:00 . 2009-03-14 09:00 <DIR> d-------- c:\documents and settings\Victor Bornhoft\Application Data\Windows Desktop Search
2009-03-14 08:58 . 2009-03-07 19:57 <DIR> d-------- c:\documents and settings\Victor Bornhoft\Application Data\Gtek
2009-03-14 08:58 . 2006-03-09 18:00 <DIR> d-------- c:\documents and settings\Victor Bornhoft\Application Data\Corel
2009-03-14 08:58 . 2009-03-14 09:35 <DIR> d-------- c:\documents and settings\Victor Bornhoft
2009-03-14 08:24 . 2009-03-14 08:24 <DIR> d-------- c:\program files\iTunes
2009-03-14 08:24 . 2009-03-14 08:24 <DIR> d-------- c:\program files\iPod
2009-03-14 08:24 . 2009-03-14 08:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 16:11 . 2009-03-13 16:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-03-13 16:10 . 2009-03-13 16:10 101 --a------ c:\windows\ka.ini
2009-03-13 16:09 . 2009-03-13 16:09 <DIR> d-------- c:\program files\JumpStart World
2009-03-13 16:09 . 2009-03-13 16:09 <DIR> d-------- c:\program files\Common Files\Knowledge Adventure
2009-03-13 12:34 . 2009-04-04 16:57 <DIR> d-------- c:\program files\Dl_cats
2009-03-13 12:34 . 2009-03-13 12:34 <DIR> d-------- c:\program files\Abbyy FineReader 6.0 Sprint
2009-03-13 12:34 . 2009-03-13 12:35 10,235 --a------ c:\windows\system32\LexFiles.ulf
2009-03-13 12:33 . 2009-03-14 08:13 <DIR> d-------- c:\program files\Dell Photo AIO Printer 924
2009-03-13 12:33 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\wiafbdrv.dll
2009-03-13 12:33 . 2001-08-17 22:36 87,040 --a------ c:\windows\system32\dllcache\wiafbdrv.dll
2009-03-13 12:33 . 2008-04-13 11:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-13 12:33 . 2008-04-13 11:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-03-13 12:33 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-03-13 12:33 . 2008-04-13 11:47 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-03-13 12:33 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-13 12:33 . 2008-04-13 11:45 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
2009-03-13 12:32 . 2009-03-13 12:32 <DIR> d-------- c:\windows\Sun
2009-03-13 12:31 . 2009-03-09 05:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-13 12:31 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-11 09:16 . 2009-03-11 09:16 <DIR> d-------- c:\program files\Bonjour
2009-03-08 21:27 . 2009-01-09 13:19 1,089,593 --------- c:\windows\system32\dllcache\ntprint.cat
2009-03-08 18:11 . 2009-03-08 18:11 <DIR> d-------- c:\program files\McAfee.com
2009-03-08 18:11 . 2009-03-11 06:26 <DIR> d-------- c:\program files\McAfee
2009-03-08 18:11 . 2009-03-08 18:11 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-08 18:06 . 2009-04-05 10:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-08 17:15 . 2009-03-08 22:23 <DIR> d-------- c:\program files\Marvell
2009-03-08 00:48 . 2009-03-24 11:31 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\AdobeUM
2009-03-08 00:47 . 2009-03-08 00:47 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-07 23:18 . 2009-04-04 11:44 664 --a------ c:\windows\system32\d3d9caps.dat
2009-03-07 22:52 . 2009-03-07 22:52 4,128 --a------ C:\INFCACHE.1
2009-03-07 22:40 . 2009-03-07 22:40 <DIR> d-------- c:\program files\Audacity
2009-03-07 22:28 . 2009-03-07 22:28 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-07 22:28 . 2009-03-07 22:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-07 22:28 . 2009-03-07 22:28 <DIR> d-------- c:\program files\MSBuild
2009-03-07 22:28 . 2009-03-07 22:28 <DIR> d-------- C:\cc7fb08fd029f4cb4408e2a994
2009-03-07 22:28 . 2008-07-06 06:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-07 22:28 . 2008-07-06 06:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-07 22:28 . 2008-07-06 04:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-07 22:28 . 2008-07-06 06:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-07 22:28 . 2008-07-06 06:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-07 22:28 . 2008-07-06 06:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-07 22:28 . 2008-07-06 06:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-07 22:25 . 2009-03-07 22:25 <DIR> d-------- c:\windows\system32\GroupPolicy
2009-03-07 22:25 . 2009-03-07 22:25 <DIR> d-------- c:\program files\Windows Desktop Search
2009-03-07 22:25 . 2009-03-07 22:25 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\Windows Search
2009-03-07 22:25 . 2009-03-07 22:25 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\Windows Desktop Search
2009-03-07 22:24 . 2009-03-07 22:24 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-07 22:24 . 2008-03-07 11:02 192,000 --------- c:\windows\system32\dllcache\offfilt.dll
2009-03-07 22:24 . 2008-03-07 11:02 98,304 --------- c:\windows\system32\dllcache\nlhtml.dll
2009-03-07 22:24 . 2008-03-07 11:02 29,696 --------- c:\windows\system32\dllcache\mimefilt.dll
2009-03-07 22:23 . 2009-03-07 22:23 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-07 22:23 . 2009-03-07 22:23 <DIR> d-------- C:\8d3f72bfe10a3a1fea526421a918
2009-03-07 22:23 . 2009-03-07 22:23 <DIR> d-------- C:\0d22e18e1b562e6ae63984b288f5
2009-03-07 22:02 . 2009-03-07 22:02 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\Apple Computer
2009-03-07 22:02 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-07 22:02 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 22:01 . 2009-03-14 08:24 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-03-07 22:01 . 2009-03-07 22:02 <DIR> d-------- c:\program files\QuickTime
2009-03-07 22:01 . 2009-03-14 08:24 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-07 22:01 . 2009-03-07 22:01 <DIR> d-------- c:\program files\Apple Software Update
2009-03-07 22:01 . 2009-03-07 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-07 22:01 . 2009-03-07 22:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-07 21:54 . 2009-03-07 21:54 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-07 21:43 . 2009-03-07 21:43 <DIR> d--hs---- c:\documents and settings\Ryan Bornhoft\PrivacIE
2009-03-07 21:43 . 2009-03-07 21:43 <DIR> d--hs---- c:\documents and settings\Ryan Bornhoft\IETldCache
2009-03-07 21:43 . 2009-03-07 21:43 <DIR> d--hs---- c:\documents and settings\Ryan Bornhoft\IECompatCache
2009-03-07 21:40 . 2009-03-07 22:23 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-07 21:38 . 2009-03-07 21:38 <DIR> d-------- c:\windows\ie8updates
2009-03-07 21:37 . 2009-03-07 21:37 <DIR> d--h-c--- c:\windows\ie8
2009-03-07 21:36 . 2008-06-13 05:05 272,128 --------- c:\windows\system32\dllcache\bthport.sys
2009-03-07 21:35 . 2008-08-14 04:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-07 21:35 . 2008-08-14 04:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-07 21:35 . 2008-08-14 03:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-07 21:35 . 2008-08-14 03:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-07 21:35 . 2009-02-09 05:13 1,846,784 --------- c:\windows\system32\dllcache\win32k.sys
2009-03-07 21:35 . 2009-01-10 23:00 79,360 --------- c:\windows\system32\dllcache\iecompat.dll
2009-03-07 21:33 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2009-03-07 21:33 . 2008-04-11 13:04 691,712 --------- c:\windows\system32\dllcache\inetcomm.dll
2009-03-07 21:33 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-07 21:33 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2009-03-07 21:33 . 2008-12-11 04:57 333,952 --------- c:\windows\system32\dllcache\srv.sys
2009-03-07 21:33 . 2008-05-01 08:33 331,776 --------- c:\windows\system32\dllcache\msadce.dll
2009-03-07 21:33 . 2008-10-03 04:02 247,326 --------- c:\windows\system32\dllcache\strmdll.dll
2009-03-07 21:33 . 2008-05-08 08:02 203,136 --------- c:\windows\system32\dllcache\rmcast.sys
2009-03-07 21:26 . 2009-03-07 21:26 <DIR> d-------- c:\windows\system32\scripting
2009-03-07 21:26 . 2009-03-07 21:26 <DIR> d-------- c:\windows\system32\en
2009-03-07 21:26 . 2009-03-07 21:26 <DIR> d-------- c:\windows\system32\bits
2009-03-07 21:26 . 2009-03-07 21:26 <DIR> d-------- c:\windows\l2schemas
2009-03-07 21:25 . 2009-03-07 21:25 <DIR> d-------- c:\windows\ServicePackFiles
2009-03-07 21:12 . 2009-03-07 21:12 <DIR> d--hs---- c:\documents and settings\Ryan Bornhoft\UserData
2009-03-07 19:53 . 2009-03-07 19:53 2 --a------ c:\windows\msoffice.ini
2009-03-07 19:50 . 2006-03-09 17:56 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Gtek
2009-03-07 19:50 . 2006-03-09 18:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Corel
2009-03-07 19:50 . 2009-03-07 19:57 <DIR> d--h----- c:\documents and settings\Ryan Bornhoft\Application Data\Gtek
2009-03-07 19:50 . 2009-04-03 17:11 <DIR> d-------- c:\documents and settings\Ryan Bornhoft\Application Data\Corel
2009-03-07 19:50 . 2009-04-05 10:08 <DIR> d-------- c:\documents and settings\Ryan Bornhoft
2009-03-07 19:46 . 2008-04-13 12:39 14,592 --a------ c:\windows\system32\drivers\kbdhid.sys
2009-03-07 19:46 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-03-07 19:46 . 2008-04-13 12:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 22:53 --------- d-----w c:\program files\Java
2009-03-13 22:09 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-08 23:12 265,984 ----a-w c:\windows\system32\drivers\MRV8335XP.sys
2009-03-08 01:57 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2009-03-08 01:57 --------- d-----w c:\documents and settings\Administrator\Application Data\Gtek
2009-03-08 01:55 --------- d-----w c:\program files\MUSICMATCH
2009-03-08 01:54 --------- d-----w c:\program files\GemMaster
2009-03-08 01:53 --------- d-----w c:\program files\Common Files\AOL
2009-03-08 01:53 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Ryan Bornhoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-03-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-03-09 26112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-03-09 169472]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-14 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-03-09 24576]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=

S2 0180181238948028mcinstcleanup;McAfee Application Installer Cleanup (0180181238948028);c:\docume~1\RYANBO~1\LOCALS~1\Temp\018018~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\RYANBO~1\LOCALS~1\Temp\018018~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0180181238948028MCINSTCLEANUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3655297045-4186852121-3271357521-1005.job
- c:\documents and settings\Ryan Bornhoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-07 21:48]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-MBkLogOnHook - c:\program files\McAfee\MBK\LogOnHook.exe
MSConfigStartUp-McAfee Backup - c:\program files\McAfee\MBK\McAfeeDataBackup.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 10:21:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-04-05 10:23:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 16:23:28

Pre-Run: 118,153,670,656 bytes free
Post-Run: 118,180,417,536 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

264 --- E O F --- 2009-03-13 22:06:53




Here is Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:26:00 AM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Ryan Bornhoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Ryan Bornhoft\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ryan Bornhoft\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Ryan Bornhoft\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab
O23 - Service: McAfee Application Installer Cleanup (0180181238948028) (0180181238948028mcinstcleanup) - Unknown owner - C:\DOCUME~1\RYANBO~1\LOCALS~1\Temp\018018~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 8236 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 AM

Posted 05 April 2009 - 09:25 PM

Hello,

You're welcome. :thumbup2:

Those look pretty good now. :) Looks like ComboFix took out the rest of it. How is it running please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 jetsetred

jetsetred
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 05 April 2009 - 10:08 PM

It's running well now thank you. Are there any good programs you could recommend to keep this from happening again? And should I delete all of the programs that I have downloaded for the fix?
-Jet-

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 AM

Posted 05 April 2009 - 10:12 PM

Hello,

Good to know. :thumbup2:

Yes, please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Keep MBAM. Are you going to stay with McAfee?
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 jetsetred

jetsetred
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 05 April 2009 - 10:29 PM

I get mcAfee free with comcast but if there is a better alternative or a great cheap alternative please let me know. Once again thank you and keep up the good work.;)
-Jet-

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 AM

Posted 05 April 2009 - 10:49 PM

Hello,

You're welcome. :step4:

I don't think there's anything cheaper than free? :) You don't have to pay through the nose to have great protection on your computer. I use Avira on my own system.....it's one of the best out there, as good or better than most of the paid programs. :thumbup2: AVG, Avira OR Avast are good FREE antivirus.

For the rest, this is what I tell everyone.........

Below I have included a number of recommendations on how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously! These few simple steps can stave off the vast majority of spyware problems.

Regularly go to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows, including the latest version of Internet Explorer. This can patch many of the security holes through which attackers can gain access to your computer. You should also turn on the Windows automatic update feature.

You should definitely maintain a firewall. Some good free firewalls are Kerio, or Outpost. I use Comodo on my own system and really like it. ONLY use the firewall though!! http://comodo.com
A tutorial on understanding and using firewalls may be found here.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. A lot of free software can bundle other software, including spyware.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/

Please make sure to run your antivirus software regularly, and to keep it up-to-date.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 jetsetred

jetsetred
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:13 AM

Posted 06 April 2009 - 03:00 PM

Thank you very much, I have taken your advice on Avira and will learn how to better use a firewall.
-Jet-

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:13 AM

Posted 08 April 2009 - 07:33 AM

You're welcome. :thumbup2:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users