Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo.gen!am


  • This topic is locked This topic is locked
10 replies to this topic

#1 Skyydream

Skyydream

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 28 April 2009 - 06:43 PM

Trojan: Win32/Vundo.gen!AM

and

Worm: Win32/Vundo.A


These two things were both found during my latest scan by Windows Live OneCare... can you help me completely get rid of them?
I don't notice anything strange going on, but I understand that although OneCare has found then, that does not mean they are gone.

I appreciate the help!

- WW


DDS log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 16:36:37.40 on Tue 04/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2064 [GMT -7:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
H:\WINDOWS\system32\svchost.exe -k hpdevmgmt
H:\WINDOWS\Explorer.EXE
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\svchost.exe -k HPZ12
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
H:\WINDOWS\System32\svchost.exe -k HPZ12
H:\WINDOWS\system32\svchost.exe -k imgsvc
H:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
H:\Program Files\Microsoft Windows OneCare Live\winss.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\ASUS\AASP\1.00.23\aaCenter.exe
H:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
H:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
H:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
H:\Program Files\Simplify Media\SimplifyMedia.exe
H:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Nike+ Utility\Nike+ Utility.exe
H:\Program Files\Dropbox\Dropbox.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\WINDOWS\System32\svchost.exe -k HTTPFilter
H:\Program Files\Microsoft Money Plus\MNYCoreFiles\msmoney.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - h:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - h:\program files\hp\smart web printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - h:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
{68462ee0-dc65-407b-911a-5a0a201619a2}
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - h:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - h:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [AnyDVD] h:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [MoneyBackgoundBanking] "h:\program files\microsoft money plus\mnycorefiles\mnybbsvc.exe"
uRun: [Simplify Media] "h:\program files\simplify media\SimplifyMedia.exe"
uRun: [Advanced SystemCare 3] "h:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [ctfmon.exe] h:\windows\system32\ctfmon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE h:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [JMB36X IDE Setup] h:\windows\jm\JMInsIDE.exe
mRun: [JMB36X Configure] h:\windows\system32\JMRaidSetup.exe boot
mRun: [AsusServiceProvider] h:\program files\asus\aasp\1.00.23\aaCenter.exe
mRun: [Ai Nap] "h:\program files\asus\ai suite\ainap\AiNap.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [OneCareUI] "h:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [AppleSyncNotifier] h:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SoundMAXPnP] h:\program files\analog devices\core\smax4pnp.exe
mRun: [Google Desktop Search] "h:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [GrooveMonitor] "h:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE h:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "h:\program files\itunes\iTunesHelper.exe"
mRun: [fuzeyebaja] Rundll32.exe "h:\windows\system32\faloyita.dll",s
StartupFolder: h:\docume~1\owner\startm~1\programs\startup\dropbox.lnk - h:\program files\dropbox\Dropbox.exe
StartupFolder: h:\docume~1\owner\startm~1\programs\startup\hotsyn~1.lnk - h:\program files\palmone\Hotsync.exe
StartupFolder: h:\docume~1\owner\startm~1\programs\startup\syncback.lnk - h:\program files\2brightsparks\syncback\SyncBack.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - h:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: h:\docume~1\alluse~1\startm~1\programs\startup\nike_u~1.lnk - h:\program files\nike+ utility\Nike+ Utility.exe
IE: Append to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - h:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - h:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - h:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - h:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - h:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} - hxxp://www2.snapfish.com/SnapfishOutlookImport.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} - hxxps://photos.riteaid.com/control/RiteAidOneHourPhotoOnline.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - h:\program files\microsoft office\office12\GrooveSystemServices.dll
AppInit_DLLs: h:\windows\system32\rudadiza.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - h:\windows\system32\WPDShServiceObj.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - h:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Notification Packages = scecli h:\windows\system32\rudadiza.dll

================= FIREFOX ===================

FF - ProfilePath - h:\docume~1\owner\applic~1\mozilla\firefox\profiles\rpwawf9d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: h:\documents and settings\owner\application data\mozilla\firefox\profiles\rpwawf9d.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: h:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: h:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: h:\program files\photosynth\npPhotosynthMozilla.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R2 OcHealthMon;Windows Live OneCare Health Monitor;h:\program files\microsoft windows onecare live\OcHealthMon.exe [2009-3-22 24936]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\drivers\atl01_xp.sys [2007-7-12 35840]
S1 abncrqaq;abncrqaq;\??\h:\windows\system32\drivers\abncrqaq.sys --> h:\windows\system32\drivers\abncrqaq.sys [?]
S1 axcqkspn;axcqkspn;\??\h:\windows\system32\drivers\axcqkspn.sys --> h:\windows\system32\drivers\axcqkspn.sys [?]
S1 lxtruksz;lxtruksz;\??\h:\windows\system32\drivers\lxtruksz.sys --> h:\windows\system32\drivers\lxtruksz.sys [?]
S1 tkkikmnl;tkkikmnl;\??\h:\windows\system32\drivers\tkkikmnl.sys --> h:\windows\system32\drivers\tkkikmnl.sys [?]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;h:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-26 30192]

=============== Created Last 30 ================

2009-04-24 18:39 1,409,386 ---sh--- h:\windows\system32\ipitodut.ini
2009-04-24 06:39 121 ---sh--- h:\windows\system32\ugagadat.ini
2009-04-22 20:44 <DIR> --d----- h:\program files\iPod
2009-04-22 20:44 <DIR> --d----- h:\program files\iTunes
2009-04-22 20:44 <DIR> --d----- h:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-22 17:50 1,409,119 ---sh--- h:\windows\system32\akosugat.ini
2009-04-21 19:59 1,409,819 ---sh--- h:\windows\system32\uzajafoy.ini
2009-04-21 07:58 1,409,832 ---sh--- h:\windows\system32\ojivebun.ini
2009-04-20 19:58 1,409,558 ---sh--- h:\windows\system32\adupuhow.ini
2009-04-12 13:44 <DIR> --d----- h:\docume~1\owner\applic~1\IObit
2009-04-12 13:44 <DIR> --d----- h:\program files\IObit
2009-04-09 17:40 103,744 a------- h:\windows\system32\drivers\AnyDVD.sys
2009-04-05 16:40 <DIR> a-dshr-- H:\cmdcons
2009-04-05 00:28 <DIR> --d----- h:\docume~1\owner\applic~1\ESTsoft
2009-04-05 00:28 <DIR> --d----- h:\docume~1\alluse~1\applic~1\ESTsoft
2009-04-05 00:28 <DIR> --d----- h:\program files\ESTsoft
2009-04-04 14:24 <DIR> --d----- h:\docume~1\alluse~1\applic~1\PIXELA

==================== Find3M ====================

2009-03-19 16:32 23,400 a------- h:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 05:19 410,984 a------- h:\windows\system32\deploytk.dll
2009-02-17 06:33 89,256 a------- h:\windows\system32\ElbyCDIO.dll
2009-02-09 04:13 1,846,784 a------- h:\windows\system32\win32k.sys
2006-06-22 23:48 32,768 a----r-- h:\windows\inf\UpdateUSB.exe
2008-05-25 23:11 16,384 a--sh--- h:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-25 23:11 32,768 a--sh--- h:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-25 23:11 32,768 a--sh--- h:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052520080526\index.dat
2008-05-25 23:11 32,768 a--sh--- h:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 16:36:49.53 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 29 April 2009 - 04:04 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Skyydream

Skyydream
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 30 April 2009 - 11:54 PM

Thank you so much for you help.

I have posted (and attached) both the combofix and HijackThis logs.

ComboFix LOG


ComboFix 09-04-30.05 - Owner 04/30/2009 20:56.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2135 [GMT -7:00]
Running from: h:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *disabled*
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\system32\adupuhow.ini
h:\windows\system32\akosugat.ini
h:\windows\system32\ipitodut.ini
h:\windows\system32\ojivebun.ini
h:\windows\system32\ugagadat.ini
h:\windows\system32\uzajafoy.ini

.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 01:33 . 2009-04-30 01:33 -------- d-----w h:\program files\Simplify Media
2009-04-23 03:44 . 2009-04-23 03:45 -------- d-----w h:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-17 03:35 . 2009-04-17 03:35 -------- d-----w h:\documents and settings\Owner\Application Data\dvdcss
2009-04-13 00:20 . 2009-04-13 00:20 -------- d--h--r H:\MSOCache
2009-04-12 20:44 . 2009-04-13 00:11 -------- d-----w h:\documents and settings\Owner\Application Data\IObit
2009-04-12 20:44 . 2009-04-12 21:29 -------- d-----w h:\program files\IObit
2009-04-10 00:40 . 2009-04-10 00:40 103744 ----a-w h:\windows\system32\drivers\AnyDVD.sys
2009-04-05 07:28 . 2009-04-05 07:28 -------- d-----w h:\documents and settings\Owner\Application Data\ESTsoft
2009-04-05 07:28 . 2009-04-05 07:28 -------- d-----w h:\documents and settings\All Users\Application Data\ESTsoft
2009-04-05 07:28 . 2009-04-05 07:28 -------- d-----w h:\program files\ESTsoft
2009-04-04 21:24 . 2009-04-04 21:24 -------- d-----w h:\documents and settings\All Users\Application Data\PIXELA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 03:55 . 2007-07-18 03:23 -------- d-----w h:\program files\Common Files\Apple
2009-05-01 00:39 . 2008-05-25 23:24 -------- d-----w h:\program files\Microsoft Windows OneCare Live
2009-04-12 21:08 . 2008-06-02 01:13 -------- d-----w h:\program files\Common Files\Remote Control Software Common
2009-04-12 21:08 . 2008-05-28 00:34 -------- d-----w h:\program files\DupFiles
2009-04-12 21:08 . 2007-11-18 15:52 -------- d-----w h:\program files\Free Hide Folder
2009-04-12 21:08 . 2007-07-26 01:01 -------- d-----w h:\program files\Common Files\DataViz
2009-04-12 21:08 . 2007-07-26 01:01 -------- d-----w h:\program files\Documents To Go
2009-04-12 21:07 . 2008-02-15 05:24 -------- d-----w h:\program files\PIXresizer
2009-04-12 21:07 . 2007-07-26 00:26 -------- d-----w h:\program files\palmOne
2009-04-12 21:07 . 2007-07-25 13:03 -------- d-----w h:\program files\Windows Media Connect 2
2009-04-08 05:11 . 2007-09-08 22:12 -------- d-----w h:\program files\Java
2009-03-20 03:25 . 2009-03-20 03:25 -------- d-----w h:\program files\Free iPod Video Converter
2009-03-20 03:17 . 2008-02-01 06:15 -------- d-----w h:\program files\Red Kawa
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w h:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 12:19 . 2008-12-27 18:37 410984 ----a-w h:\windows\system32\deploytk.dll
2009-02-17 17:11 . 2009-02-17 17:11 24232 ----a-w h:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w h:\windows\system32\ElbyCDIO.dll
2009-02-09 11:13 . 2004-08-04 06:17 1846784 ----a-w h:\windows\system32\win32k.sys
2009-02-09 04:32 . 2007-07-13 06:19 71232 ----a-w h:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-27 03:26 . 2008-12-27 03:26 122880 ----a-w h:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"= "h:\windows\system32\ieframe.dll" [2008-12-20 6066688]

[HKEY_CLASSES_ROOT\clsid\{f2cf5485-4e02-4f68-819c-b92de9277049}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w h:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w h:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w h:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="h:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-04-10 5827520]
"MoneyBackgoundBanking"="h:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
"Advanced SystemCare 3"="h:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-02-22 2272592]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Simplify Media"="h:\program files\Simplify Media\SimplifyMedia.exe" [2009-04-21 8563208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2007-03-07 81920]
"JMB36X IDE Setup"="h:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="h:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"AsusServiceProvider"="h:\program files\ASUS\AASP\1.00.23\aaCenter.exe" [2007-01-05 597504]
"Ai Nap"="h:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-01-12 1423360]
"OneCareUI"="h:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"AppleSyncNotifier"="h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-07 177472]
"SoundMAXPnP"="h:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Google Desktop Search"="h:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-27 30192]
"GrooveMonitor"="h:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2007-03-07 8425472]
"BluetoothAuthenticationAgent"="bthprops.cpl" - h:\windows\system32\bthprops.cpl [2008-04-14 110592]

h:\documents and settings\Owner\Start Menu\Programs\Startup\
Dropbox.lnk - h:\program files\Dropbox\Dropbox.exe [2008-9-26 24096981]
HotSync Manager.LNK - h:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
SyncBack.lnk - h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 2936064]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Nike+ Utility.lnk - h:\program files\Nike+ Utility\Nike+ Utility.exe [2008-4-30 1228800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\WINDOWS\\system32\\taskmgr.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=

R1 abncrqaq;abncrqaq; [x]
R1 axcqkspn;axcqkspn; [x]
R1 lxtruksz;lxtruksz; [x]
R1 tkkikmnl;tkkikmnl; [x]
R3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;h:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-27 30192]
S2 OcHealthMon;Windows Live OneCare Health Monitor;h:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\DRIVERS\atl01_xp.sys [2006-10-31 35840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"h:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-12 h:\windows\Tasks\SmartDefrag.job
- h:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-12 01:15]

2009-04-28 h:\windows\Tasks\SyncBack BackUp Master Profile.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack My Documents.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack My Music.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack My Videos.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack New Music.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-27 h:\windows\Tasks\SyncToy.job
- h:\documents and settings\Owner\Start Menu\Programs\SyncToy.lnk [2007-12-24 03:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{68462ee0-dc65-407b-911a-5a0a201619a2} - (no file)
HKLM-Run-fuzeyebaja - h:\windows\system32\faloyita.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{FB5F1910-F110-11d2-BB9E-00C04F795683} - h:\program files\Messenger\msmsgs.exe
FF - ProfilePath - h:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rpwawf9d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: h:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rpwawf9d.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: h:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: h:\program files\Photosynth\npPhotosynthMozilla.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 21:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1085031214-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3240)
h:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
h:\program files\Dropbox\DropboxExt.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\program files\Bonjour\mDNSResponder.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\LightScribe\LSSrvc.exe
h:\windows\system32\nvsvc32.exe
h:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
h:\program files\Microsoft Windows OneCare Live\winss.exe
h:\program files\Canon\CAL\CALMAIN.exe
h:\windows\system32\wscntfy.exe
h:\windows\system32\rundll32.exe
h:\windows\system32\rundll32.exe
h:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-01 21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 04:05

Pre-Run: 391,748,411,392 bytes free
Post-Run: 391,808,466,944 bytes free

239 --- E O F --- 2009-03-15 03:02






HIJACK THIS LOG:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:50:17 PM, on 4/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
H:\Program Files\Microsoft Windows OneCare Live\winss.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\ASUS\AASP\1.00.23\aaCenter.exe
H:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
H:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
H:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
H:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Simplify Media\SimplifyMedia.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Nike+ Utility\Nike+ Utility.exe
H:\Program Files\Dropbox\Dropbox.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - H:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - H:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X IDE Setup] H:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] H:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] H:\Program Files\ASUS\AASP\1.00.23\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "H:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OneCareUI] "H:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AnyDVD] H:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "H:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "H:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Simplify Media] "H:\Program Files\Simplify Media\SimplifyMedia.exe"
O4 - Startup: Dropbox.lnk = H:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: HotSync Manager.LNK = H:\Program Files\palmOne\Hotsync.exe
O4 - Startup: SyncBack.lnk = H:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nike+ Utility.lnk = H:\Program Files\Nike+ Utility\Nike+ Utility.exe
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - H:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - H:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - H:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10813 bytes

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 01 May 2009 - 03:00 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
abncrqaq
axcqkspn
lxtruksz
tkkikmnl

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Skyydream

Skyydream
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 01 May 2009 - 07:26 PM

Thank you - here are the two log (also attached):



ComboFIX text

ComboFix 09-04-30.05 - Owner 05/01/2009 16:44.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3007.2227 [GMT -7:00]
Running from: h:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: h:\documents and settings\Owner\Desktop\CFScript.txt
AV: Windows Live OneCare *On-access scanning disabled* (Updated)
FW: Windows Live OneCare Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_abncrqaq
-------\Service_axcqkspn
-------\Service_lxtruksz
-------\Service_tkkikmnl


((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-30 01:33 . 2009-04-30 01:33 -------- d-----w h:\program files\Simplify Media
2009-04-23 03:44 . 2009-04-23 03:45 -------- d-----w h:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-17 03:35 . 2009-04-17 03:35 -------- d-----w h:\documents and settings\Owner\Application Data\dvdcss
2009-04-13 00:20 . 2009-04-13 00:20 -------- d--h--r H:\MSOCache
2009-04-12 20:44 . 2009-04-13 00:11 -------- d-----w h:\documents and settings\Owner\Application Data\IObit
2009-04-12 20:44 . 2009-04-12 21:29 -------- d-----w h:\program files\IObit
2009-04-10 00:40 . 2009-04-10 00:40 103744 ----a-w h:\windows\system32\drivers\AnyDVD.sys
2009-04-05 07:28 . 2009-04-05 07:28 -------- d-----w h:\documents and settings\Owner\Application Data\ESTsoft
2009-04-05 07:28 . 2009-04-05 07:28 -------- d-----w h:\documents and settings\All Users\Application Data\ESTsoft
2009-04-05 07:28 . 2009-04-05 07:28 -------- d-----w h:\program files\ESTsoft
2009-04-04 21:24 . 2009-04-04 21:24 -------- d-----w h:\documents and settings\All Users\Application Data\PIXELA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 23:37 . 2008-05-25 23:24 -------- d-----w h:\program files\Microsoft Windows OneCare Live
2009-05-01 03:55 . 2007-07-18 03:23 -------- d-----w h:\program files\Common Files\Apple
2009-04-12 21:08 . 2008-06-02 01:13 -------- d-----w h:\program files\Common Files\Remote Control Software Common
2009-04-12 21:08 . 2008-05-28 00:34 -------- d-----w h:\program files\DupFiles
2009-04-12 21:08 . 2007-11-18 15:52 -------- d-----w h:\program files\Free Hide Folder
2009-04-12 21:08 . 2007-07-26 01:01 -------- d-----w h:\program files\Common Files\DataViz
2009-04-12 21:08 . 2007-07-26 01:01 -------- d-----w h:\program files\Documents To Go
2009-04-12 21:07 . 2008-02-15 05:24 -------- d-----w h:\program files\PIXresizer
2009-04-12 21:07 . 2007-07-26 00:26 -------- d-----w h:\program files\palmOne
2009-04-12 21:07 . 2007-07-25 13:03 -------- d-----w h:\program files\Windows Media Connect 2
2009-04-08 05:11 . 2007-09-08 22:12 -------- d-----w h:\program files\Java
2009-03-20 03:25 . 2009-03-20 03:25 -------- d-----w h:\program files\Free iPod Video Converter
2009-03-20 03:17 . 2008-02-01 06:15 -------- d-----w h:\program files\Red Kawa
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w h:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 12:19 . 2008-12-27 18:37 410984 ----a-w h:\windows\system32\deploytk.dll
2009-02-17 17:11 . 2009-02-17 17:11 24232 ----a-w h:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w h:\windows\system32\ElbyCDIO.dll
2009-02-09 11:13 . 2004-08-04 06:17 1846784 ----a-w h:\windows\system32\win32k.sys
2009-02-09 04:32 . 2007-07-13 06:19 71232 ----a-w h:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-12-27 03:26 . 2008-12-27 03:26 122880 ----a-w h:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-01_04.03.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 23:46 . 2009-05-01 23:46 16384 h:\windows\temp\Perflib_Perfdata_84.dat
+ 2009-05-01 23:47 . 2009-05-01 23:47 16384 h:\windows\temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w h:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w h:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w h:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AnyDVD"="h:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-04-10 5827520]
"MoneyBackgoundBanking"="h:\program files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe" [2008-02-19 53264]
"Advanced SystemCare 3"="h:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2009-02-22 2272592]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Simplify Media"="h:\program files\Simplify Media\SimplifyMedia.exe" [2009-04-21 8563208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2007-03-07 81920]
"JMB36X IDE Setup"="h:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"JMB36X Configure"="h:\windows\system32\JMRaidSetup.exe" [2006-10-30 1953792]
"AsusServiceProvider"="h:\program files\ASUS\AASP\1.00.23\aaCenter.exe" [2007-01-05 597504]
"Ai Nap"="h:\program files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-01-12 1423360]
"OneCareUI"="h:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2009-03-22 63864]
"AppleSyncNotifier"="h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-07 177472]
"SoundMAXPnP"="h:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"Google Desktop Search"="h:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-27 30192]
"GrooveMonitor"="h:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2007-03-07 8425472]
"BluetoothAuthenticationAgent"="bthprops.cpl" - h:\windows\system32\bthprops.cpl [2008-04-14 110592]

h:\documents and settings\Owner\Start Menu\Programs\Startup\
Dropbox.lnk - h:\program files\Dropbox\Dropbox.exe [2008-9-26 24096981]
HotSync Manager.LNK - h:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
SyncBack.lnk - h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 2936064]

h:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - h:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
Nike+ Utility.lnk - h:\program files\Nike+ Utility\Nike+ Utility.exe [2008-4-30 1228800]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"h:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\WINDOWS\\system32\\taskmgr.exe"=
"h:\\Program Files\\Messenger\\msmsgs.exe"=

R3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;h:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-27 30192]
S2 OcHealthMon;Windows Live OneCare Health Monitor;h:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2009-03-22 24936]
S3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;h:\windows\system32\DRIVERS\atl01_xp.sys [2006-10-31 35840]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"h:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-12 h:\windows\Tasks\SmartDefrag.job
- h:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-04-12 01:15]

2009-04-28 h:\windows\Tasks\SyncBack BackUp Master Profile.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack My Documents.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack My Music.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack My Videos.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-28 h:\windows\Tasks\SyncBack New Music.job
- h:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-12-21 19:19]

2009-04-27 h:\windows\Tasks\SyncToy.job
- h:\documents and settings\Owner\Start Menu\Programs\SyncToy.lnk [2007-12-24 03:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - h:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - h:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - h:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rpwawf9d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: h:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rpwawf9d.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: h:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: h:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: h:\program files\Photosynth\npPhotosynthMozilla.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 16:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1085031214-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1988)
h:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
h:\program files\Dropbox\DropboxExt.dll
h:\windows\system32\WPDShServiceObj.dll
h:\windows\system32\PortableDeviceTypes.dll
h:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
h:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
h:\program files\Bonjour\mDNSResponder.exe
h:\program files\Java\jre6\bin\jqs.exe
h:\program files\Common Files\LightScribe\LSSrvc.exe
h:\windows\system32\nvsvc32.exe
h:\program files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
h:\program files\Microsoft Windows OneCare Live\winss.exe
h:\program files\Canon\CAL\CALMAIN.exe
h:\windows\system32\wscntfy.exe
h:\windows\system32\rundll32.exe
h:\windows\system32\rundll32.exe
h:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-05-01 16:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 23:50
ComboFix2.txt 2009-05-01 04:06

Pre-Run: 391,705,194,496 bytes free
Post-Run: 391,701,483,520 bytes free

227 --- E O F --- 2009-03-15 03:02





hijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:28 PM, on 5/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
H:\Program Files\Bonjour\mDNSResponder.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Java\jre6\bin\jqs.exe
H:\Program Files\Common Files\LightScribe\LSSrvc.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
H:\Program Files\Microsoft Windows OneCare Live\winss.exe
H:\Program Files\Canon\CAL\CALMAIN.exe
H:\WINDOWS\system32\wscntfy.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\ASUS\AASP\1.00.23\aaCenter.exe
H:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Analog Devices\Core\smax4pnp.exe
H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
H:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
H:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe
H:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Simplify Media\SimplifyMedia.exe
H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Nike+ Utility\Nike+ Utility.exe
H:\Program Files\Dropbox\Dropbox.exe
H:\Program Files\palmOne\Hotsync.exe
H:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
H:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
H:\WINDOWS\explorer.exe
H:\WINDOWS\system32\notepad.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - H:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - H:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - H:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - H:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JMB36X IDE Setup] H:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [JMB36X Configure] H:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [AsusServiceProvider] H:\Program Files\ASUS\AASP\1.00.23\aaCenter.exe
O4 - HKLM\..\Run: [Ai Nap] "H:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [OneCareUI] "H:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SoundMAXPnP] H:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Google Desktop Search] "H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GrooveMonitor] "H:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [AnyDVD] H:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [MoneyBackgoundBanking] "H:\Program Files\Microsoft Money Plus\MNYCoreFiles\mnybbsvc.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 3] "H:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Simplify Media] "H:\Program Files\Simplify Media\SimplifyMedia.exe"
O4 - Startup: Dropbox.lnk = H:\Program Files\Dropbox\Dropbox.exe
O4 - Startup: HotSync Manager.LNK = H:\Program Files\palmOne\Hotsync.exe
O4 - Startup: SyncBack.lnk = H:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Nike+ Utility.lnk = H:\Program Files\Nike+ Utility\Nike+ Utility.exe
O8 - Extra context menu item: Append to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - H:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - H:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www2.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple Inc. - H:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - H:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - H:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - H:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Google - H:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - H:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - H:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - H:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10799 bytes

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 02 May 2009 - 05:47 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..
1. Malwarebytes'
2. ESET Online
3. How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Skyydream

Skyydream
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 02 May 2009 - 04:24 PM

Everything seems to be working awe - wait for it - some.
(How I Met Your Mother is one of my favs).

Thank you so much - I really appreciate all your help!!

I have a question for you - my Microsoft OneCare subscription is going to expire (it was free - they are a customer), and ESET has given me a 1 year license for NOD32 antivirus.
What is your thoughts of this product? Is there a different AV software program you would recommend? Or a perhaps something like symantec, trend or mcafee that also include a firewall? I appreciate your feed back.


MBAM LOG:


Malwarebytes' Anti-Malware 1.36
Database version: 2067
Windows 5.1.2600 Service Pack 3

5/2/2009 9:43:06 AM
mbam-log-2009-05-02 (09-43-06).txt

Scan type: Full Scan (H:\|I:\|J:\|)
Objects scanned: 278783
Time elapsed: 1 hour(s), 2 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




ESET LOG

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4049 (20090501)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=7b25547eeafc1644a43c413e6a123f27
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-02 09:13:43
# local_time=2009-05-02 02:13:43 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=494587
# found=14
# scan_time=5818
H:\Qoobox\Quarantine\H\WINDOWS\system32\adupuhow.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\Qoobox\Quarantine\H\WINDOWS\system32\akosugat.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\Qoobox\Quarantine\H\WINDOWS\system32\ipitodut.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\Qoobox\Quarantine\H\WINDOWS\system32\ojivebun.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\Qoobox\Quarantine\H\WINDOWS\system32\ugagadat.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\Qoobox\Quarantine\H\WINDOWS\system32\uzajafoy.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP13\A0001909.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP15\A0001922.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP27\A0003710.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP27\A0003711.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP27\A0003712.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP27\A0003713.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP27\A0003714.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
H:\System Volume Information\_restore{406F7247-47CC-422D-8686-648AE03766E3}\RP27\A0003715.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 02 May 2009 - 07:30 PM

I have a question for you - my Microsoft OneCare subscription is going to expire (it was free - they are a customer), and ESET has given me a 1 year license for NOD32 antivirus.


Go for ESET.. Its one of the best antivirus program I know.. If you can get the ESET Smart Security 4 it would be better.. :thumbup2:

Well, I asked you to run ESET Online Scanner before :)

Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :step4:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Skyydream

Skyydream
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 03 May 2009 - 12:50 PM

Thank you - everything seems to be working well - and I appreciate the information links.
one strange thing -

I cannot seem to turn on Automatic updates (OneCare shows it as not on.. and I can not do it through either their interface or using control panel). It will be ON for a few minutes, then turn back off
any suggestions?

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 03 May 2009 - 01:39 PM

Go to Start >> Run >> Copy/paste below (once for each line) >> Enter

regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 atl.dll
regsvr32 wucltui.dll
regsvr32 wups.dll


Reboot your computer.. Can you run Windows Update now?

Edited by fenzodahl512, 03 May 2009 - 01:40 PM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Skyydream

Skyydream
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:09:25 AM

Posted 03 May 2009 - 04:15 PM

Great! Thank you! everything seems to be working great! I am very thankful for all you help!!!



- WW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users