Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde?? Popups and slow perf


  • This topic is locked This topic is locked
14 replies to this topic

#1 penelopet

penelopet

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 15 November 2009 - 12:24 AM

Hello, recently I've had terribly slow performance, popups & freezing while browsing the web; and now Windows takes forever to load when I turn the system on. As you can probably tell by my logs I've tried every anti-spyware, anti-malware, anti-trojan program I can think of, and every time I run them (which takes forever) they find something, usually Virtumonde...but they can never clean it out. Some programs just hang while on the cleaning phase (e.g. AVG) and others tell me to restart the system to finish cleaning...but once I do the problems persist. Thanks so much in advance for any help.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 0:01:45.46 on Sun 11/15/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.61 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US)_AppleWebKit/530.5_(KHTML,_like_Gecko)_Chrome/2.0.172.43_Safari/530.5" -"http://woz.commtechlab.msu.edu/courses/447sp04/oregontrail/play.htm"
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [CloneDVDElbyDelay] "c:\program files\elaborate bytes\clonedvd\ElbyCheck.exe" /L ElbyDelay
mRun: [ElbyCheckAnyDVD] "c:\program files\slysoft\anydvd\ElbyCheck.exe" /L AnyDVD
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\MBh2TkmCX.exe" /runcleanupscript
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [lihesagup] Rundll32.exe "c:\windows\system32\zugovela.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/117p/html/gtdownlr.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\system32\zugovela.dll,relereni.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: peluteham - {0fc2d4b0-c56d-465f-8eeb-9d5228176889} - No File
SSODL: sayuzezem - {2f552620-c165-4caa-a49e-0e9da2396a18} - c:\windows\system32\zugovela.dll
STS: {1075ad05-38b6-429e-8dfa-fba71091806c} - No File
STS: {2c728fb3-df59-4ab6-b2fa-f8dd9d049b24} - No File
STS: {1b08d499-0606-4b01-b5ee-6afa2c55dbca} - No File
STS: {c4e36ca0-b6b8-4b89-b565-a3a0da5b8bf5} - No File
STS: tokatiluy: {2f552620-c165-4caa-a49e-0e9da2396a18} - c:\windows\system32\zugovela.dll
LSA: Notification Packages = scecli loganoye.dll gapedalu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kicmwawa.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kicmwawa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-11 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-8 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-8 360584]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-8 285392]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-20 24652]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2006-8-6 141056]
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys --> c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-5-4 40832]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [2007-5-15 13765]

=============== Created Last 30 ================

2009-11-13 02:52:12 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-13 02:52:12 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-13 02:52:12 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-13 02:52:12 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-13 02:52:12 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-11-13 02:52:00 0 d-----w- c:\program files\Trojan Remover
2009-11-13 02:52:00 0 d-----w- c:\docume~1\owner\applic~1\Simply Super Software
2009-11-13 02:52:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-11-12 13:14:53 0 d-----w- C:\VundoFix Backups
2009-11-12 13:14:11 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2009-11-12 13:14:08 80384 ----a-w- c:\windows\system32\o4Patch.exe
2009-11-12 13:14:06 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2009-11-12 13:14:04 82432 ----a-w- c:\windows\system32\404Fix.exe
2009-11-12 13:14:01 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-11-12 13:13:58 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-11-12 13:13:56 53248 ----a-w- c:\windows\system32\Process.exe
2009-11-12 13:13:56 135168 ----a-w- c:\windows\system32\swreg.exe
2009-11-11 17:46:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-11 16:56:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-11 16:56:06 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-11 16:51:25 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-11 16:50:11 0 d-----w- c:\program files\Lavasoft
2009-11-10 20:02:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 20:02:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 20:02:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 02:04:20 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-09 02:00:25 0 d-----r- c:\program files\Skype
2009-11-08 17:17:33 0 d--h--w- C:\$AVG
2009-11-08 17:17:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-11-08 17:17:05 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-08 17:16:59 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-08 17:16:47 0 d-----w- c:\windows\system32\drivers\Avg
2009-11-08 17:16:21 0 d-----w- c:\program files\AVG
2009-11-08 17:16:18 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2009-10-27 03:32:46 0 d-----w- c:\docume~1\owner\applic~1\Verizon Wireless
2009-10-27 03:30:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Verizon Wireless
2009-10-27 03:30:31 0 d-----w- c:\program files\Verizon Wireless
2009-10-27 03:28:31 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-10-27 03:28:30 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2009-10-27 03:28:30 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-10-27 03:28:24 0 d-----w- c:\program files\LG Electronics

==================== Find3M ====================

2009-11-12 13:24:41 5500 ----a-w- c:\windows\system32\tmp.reg
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 02:21:39 38912 --sha-w- c:\windows\system32\bebufizu.dll
2009-08-15 02:21:39 51712 --sha-w- c:\windows\system32\dupefomu.dll
2009-08-15 02:22:47 51712 --sha-w- c:\windows\system32\gapedalu.dll
2009-08-13 07:03:04 89600 --sha-w- c:\windows\system32\luvoneme.dll
2009-08-13 07:03:04 39424 --sha-w- c:\windows\system32\poliwape.dll
2009-08-15 02:22:47 51712 --sha-w- c:\windows\system32\relereni.dll
2009-08-15 02:22:47 51712 --sha-w- c:\windows\system32\vohejido.dll
2009-08-10 19:01:55 51712 --sha-w- c:\windows\system32\yigupowo.dll
2009-08-15 02:21:39 61440 --sha-w- c:\windows\system32\yikotoya.dll
2009-08-12 19:02:55 38912 --sha-w- c:\windows\system32\zehekilo.dll
2009-08-15 02:21:39 89600 --sha-w- c:\windows\system32\zugovela.dll
2009-05-22 13:31:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052220090523\index.dat

============= FINISH: 0:03:20.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 22 November 2009 - 05:54 PM

Hello penelopet,

I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time.

The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection.

In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove one of these.
AVG Anti-Virus or Symantec AntiVirus Corporate Edition.

**********************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

**********************

Note: If you already have Malwarebytes' Anti-Malware, then update, run it, then do a "Perform Full Scan"

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 penelopet

penelopet
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 23 November 2009 - 01:23 AM

Hi SifuMike, thank you so much for the help. I went ahead and uninstalled AVG, then ran the scans. MBAM found a bunch of "Vundo" infections (again) and said it cleaned them although I am still seeing a lot of slowness/hard drive usage even when I'm doing nothing. Here are the logs you requested, in order:

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Symantec AntiVirus
``````````````````````````````
Anti-malware/Other Utilities Check:

Out of date Spybot installed!
Ad-Aware
AOL Spyware Protection
Spybot - Search & Destroy 1.4
Spybot - Search & Destroy
Trojan Remover 6.8.1
HijackThis 2.0.2
Java™ 6 Update 13
Java™ 6 Update 6
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

*******

Malwarebytes' Anti-Malware 1.41
Database version: 3215
Windows 5.1.2600 Service Pack 3

11/23/2009 12:41:22 AM
mbam-log-2009-11-23 (00-41-21).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 238774
Time elapsed: 1 hour(s), 31 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\vuhihumo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{84d3b2f3-c7ea-4b47-9509-b63a26e130e1} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lihesagup (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{84d3b2f3-c7ea-4b47-9509-b63a26e130e1} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sogihesas (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vuhihumo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vuhihumo.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\vuhihumo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP321\A0098566.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP321\A0104536.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP322\A0105572.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP322\A0105571.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP323\A0108632.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP324\A0109621.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP324\A0109646.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP324\A0109649.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP324\A0109685.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP325\A0109767.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP325\A0109772.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP331\A0110105.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D23EFF2A-BFEF-46A5-8364-D064E372DF2B}\RP331\A0110106.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vohejido.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


********


DDS (Ver_09-10-26.01) - NTFSx86
Run by Owner at 1:06:35.87 on Mon 11/23/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.83 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\SecurityCheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Malwarebytes' Anti-Malware\MBh2TkmCX.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uURLSearchHooks: H - No File
mURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: AIM Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Aim6]
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US)_AppleWebKit/530.5_(KHTML,_like_Gecko)_Chrome/2.0.172.43_Safari/530.5" -"http://woz.commtechlab.msu.edu/courses/447sp04/oregontrail/play.htm"
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [CloneDVDElbyDelay] "c:\program files\elaborate bytes\clonedvd\ElbyCheck.exe" /L ElbyDelay
mRun: [ElbyCheckAnyDVD] "c:\program files\slysoft\anydvd\ElbyCheck.exe" /L AnyDVD
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\MBh2TkmCX.exe" /runcleanupscript
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aim toolbar 5.0\aoltb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/117p/html/gtdownlr.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: relereni.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: peluteham - {0fc2d4b0-c56d-465f-8eeb-9d5228176889} - No File
STS: {1075ad05-38b6-429e-8dfa-fba71091806c} - No File
STS: {2c728fb3-df59-4ab6-b2fa-f8dd9d049b24} - No File
STS: {1b08d499-0606-4b01-b5ee-6afa2c55dbca} - No File
STS: {c4e36ca0-b6b8-4b89-b565-a3a0da5b8bf5} - No File
LSA: Notification Packages = scecli loganoye.dll gapedalu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\kicmwawa.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\kicmwawa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-11 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-20 24652]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\drivers\Icam3.sys [2006-8-6 141056]
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys --> c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-5-4 40832]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-3-20 32408]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [2007-5-15 13765]

=============== Created Last 30 ================

2009-11-17 22:45:10 102262 ----a-w- c:\windows\hpoins05.dat
2009-11-17 22:34:31 17505 ------w- c:\windows\hpomdl07.dat.temp
2009-11-17 21:27:07 69359 ------w- c:\windows\hpoins05.dat.temp
2009-11-17 21:27:07 17505 ------w- c:\windows\hpomdl07.dat
2009-11-17 21:25:48 98304 ----a-w- c:\windows\system32\hpzjsn01.dll
2009-11-17 21:25:31 606208 ----a-w- c:\windows\system32\hpotscl.dll
2009-11-17 21:24:18 180315 ----a-w- c:\windows\system32\hpzsnt12.dll
2009-11-13 02:52:12 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-13 02:52:12 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-13 02:52:12 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-13 02:52:12 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-13 02:52:12 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-11-13 02:52:00 0 d-----w- c:\program files\Trojan Remover
2009-11-13 02:52:00 0 d-----w- c:\docume~1\owner\applic~1\Simply Super Software
2009-11-13 02:52:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-11-12 13:14:53 0 d-----w- C:\VundoFix Backups
2009-11-12 13:14:11 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2009-11-12 13:14:08 80384 ----a-w- c:\windows\system32\o4Patch.exe
2009-11-12 13:14:06 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2009-11-12 13:14:04 82432 ----a-w- c:\windows\system32\404Fix.exe
2009-11-12 13:14:01 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-11-12 13:13:58 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-11-12 13:13:56 53248 ----a-w- c:\windows\system32\Process.exe
2009-11-12 13:13:56 135168 ----a-w- c:\windows\system32\swreg.exe
2009-11-11 17:46:35 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-11 16:56:33 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-11 16:56:06 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-11 16:51:25 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-11 16:50:11 0 d-----w- c:\program files\Lavasoft
2009-11-10 20:02:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 20:02:49 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-10 20:02:49 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-09 02:04:20 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-09 02:00:25 0 d-----r- c:\program files\Skype
2009-11-08 17:17:33 0 d--h--w- C:\$AVG
2009-11-08 17:16:21 0 d-----w- c:\program files\AVG
2009-10-27 03:32:46 0 d-----w- c:\docume~1\owner\applic~1\Verizon Wireless
2009-10-27 03:30:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Verizon Wireless
2009-10-27 03:30:31 0 d-----w- c:\program files\Verizon Wireless
2009-10-27 03:28:31 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-10-27 03:28:30 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2009-10-27 03:28:30 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-10-27 03:28:24 0 d-----w- c:\program files\LG Electronics

==================== Find3M ====================

2009-11-12 13:24:41 5500 ----a-w- c:\windows\system32\tmp.reg
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-05-22 13:31:08 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009052220090523\index.dat

============= FINISH: 1:08:03.00 ===============

Thanks again!

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 23 November 2009 - 03:53 PM

Hi penelopet,

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
    Adobe Reader 7.0
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.
Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.

You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Uninstall Spybot - Search & Destroy 1.4, as that is an old version.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 17
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 13
    Java™ 6 Update 6
    Java™ 6 Update 7

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.

Please make sure you turn on the Java Automatic Update Feature
http://java.com/en/download/help/java_update.xml#howto

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.
Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.




We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Symantec AntiVirus Corporate Edition and Spybot Teatimer before running ComboFix, as they will prevent it from running.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your log is clean.

* Open Spybot Search & Destroy.
* In the Mode menu click "Advanced mode" if not already selected.
* Choose "Yes" at the Warning prompt.
* Expand the "Tools" menu.
* Click "Resident".
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* In the File menu click "Exit" to exit Spybot Search & Destroy.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.. <== IMPORTANT

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 penelopet

penelopet
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 23 November 2009 - 10:06 PM

OK, I deleted & updated Adobe Reader & Java and deleted the old Spybot. I disabled Symantec before running ComboFix, but it looks like ComboFix said it was still running. Anyway here's the ComboFix log:

ComboFix 09-11-23.02 - Owner 11/23/2009 21:06.10.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.249 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\96406866.ini
c:\documents and settings\Owner\Application Data\inst.exe
c:\documents and settings\Owner\My Documents\cc_20081021_152338.reg
c:\program files\system\smss.exe.assembly
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\nslapi16.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\Tasks\memcavri.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LOGICAL_DISK_MANAGER_(NDIS)


((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-24 01:09 . 2009-11-24 01:13 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-24 01:07 . 2009-11-24 01:11 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-24 00:49 . 2009-11-24 00:51 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-17 22:45 . 2009-11-17 23:11 102262 ----a-w- c:\windows\hpoins05.dat
2009-11-17 21:27 . 2005-06-22 14:03 17505 ------w- c:\windows\hpomdl07.dat
2009-11-17 21:25 . 2005-02-05 02:58 98304 ----a-w- c:\windows\system32\hpzjsn01.dll
2009-11-17 21:25 . 2005-04-08 15:51 606208 ----a-w- c:\windows\system32\hpotscl.dll
2009-11-17 21:24 . 2005-03-18 18:32 180315 ----a-w- c:\windows\system32\hpzsnt12.dll
2009-11-14 22:07 . 2009-09-21 20:59 3101560 ----a-w- c:\documents and settings\Owner\Application Data\Simply Super Software\Trojan Remover\jmn1.exe
2009-11-13 02:52 . 2006-06-19 18:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-11-13 02:52 . 2006-05-25 20:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-11-13 02:52 . 2005-08-26 06:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-11-13 02:52 . 2003-02-03 01:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2009-11-13 02:52 . 2002-03-06 06:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-11-13 02:52 . 2009-11-13 02:52 -------- d-----w- c:\program files\Trojan Remover
2009-11-13 02:52 . 2009-11-13 02:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Simply Super Software
2009-11-13 02:52 . 2009-11-13 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-11-12 13:14 . 2009-11-12 13:14 -------- d-----w- C:\VundoFix Backups
2009-11-11 19:03 . 2009-11-19 06:04 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-11-11 17:46 . 2009-11-11 16:55 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-11 16:56 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-11 16:56 . 2009-11-11 16:55 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-11 16:54 . 2009-11-11 16:54 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-11 16:54 . 2009-11-11 16:54 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-11 16:54 . 2009-11-11 16:54 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-11 16:54 . 2009-11-11 16:54 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-11 16:53 . 2009-11-11 16:54 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-11 16:53 . 2009-11-11 16:53 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-11 16:53 . 2009-11-11 16:53 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-11 16:53 . 2009-11-11 16:53 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-11 16:53 . 2009-11-11 16:53 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-11 16:52 . 2009-11-11 16:53 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-11 16:51 . 2009-11-11 16:51 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-11 16:51 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-11 16:50 . 2009-11-11 16:50 -------- d-----w- c:\program files\Lavasoft
2009-11-10 20:02 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-10 20:02 . 2009-11-10 20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-10 20:02 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-09 02:04 . 2009-11-09 02:04 48 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-11-09 02:04 . 2009-11-24 00:00 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-11-09 02:02 . 2009-11-24 01:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-11-09 02:00 . 2009-11-09 02:00 -------- d-----w- c:\program files\Common Files\Skype
2009-11-09 02:00 . 2009-11-09 02:01 -------- d-----r- c:\program files\Skype
2009-11-09 01:59 . 2009-11-09 02:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-11-08 17:17 . 2009-11-08 17:39 -------- d-----w- C:\$AVG
2009-11-08 17:16 . 2009-11-08 17:16 -------- d-----w- c:\program files\AVG
2009-10-27 03:32 . 2009-10-27 03:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Verizon Wireless
2009-10-27 03:30 . 2009-10-27 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Verizon Wireless
2009-10-27 03:30 . 2009-10-27 03:30 -------- d-----w- c:\program files\Verizon Wireless
2009-10-27 03:28 . 2008-11-11 17:42 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-10-27 03:28 . 2008-11-11 17:41 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2009-10-27 03:28 . 2008-11-11 17:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-10-27 03:28 . 2009-10-27 03:28 -------- d-----w- c:\program files\LG Electronics
2009-10-27 03:27 . 2009-10-27 03:27 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-24 02:29 . 2006-03-27 21:02 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-24 02:18 . 2009-02-10 16:54 -------- d-----w- c:\program files\system
2009-11-24 01:10 . 2009-06-05 23:32 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-24 01:06 . 2005-03-27 06:01 -------- d-----w- c:\program files\Java
2009-11-23 17:30 . 2008-06-07 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-19 06:05 . 2007-12-08 23:53 -------- d-----w- c:\program files\Picasa2
2009-11-14 22:08 . 2007-04-06 22:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-11 16:50 . 2008-05-12 01:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-11 15:57 . 2005-10-12 00:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-28 04:31 . 2008-04-20 18:49 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-10-27 03:28 . 2005-06-26 04:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-24 19:07 . 2005-10-10 17:06 -------- d-----w- c:\program files\mIRC
2009-10-12 18:16 . 2007-12-18 18:45 -------- d-----w- c:\documents and settings\Owner\Application Data\Move Networks
2009-10-07 01:43 . 2009-10-07 01:43 126970 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\uninstall.exe
2009-10-07 01:43 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071505000010.dll
2009-10-07 01:43 . 2009-10-07 01:42 1407680 ----a-w- c:\documents and settings\Owner\Application Data\Move Networks\MoveMediaPlayerWin_071505000010.exe
2009-09-30 04:10 . 2009-09-30 04:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Moyea
2009-09-30 04:04 . 2006-09-23 01:23 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-09-28 04:34 . 2009-09-28 03:56 -------- d-----w- c:\program files\drhyre
2009-09-27 17:40 . 2009-09-27 17:40 -------- d-----w- c:\documents and settings\Owner\Application Data\StreamTorrent
2009-09-27 00:40 . 2009-09-27 00:40 -------- d-----w- c:\program files\Games
2009-09-18 02:41 . 2009-09-18 02:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-09-11 14:18 . 2005-03-23 16:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-03-23 16:52 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 11:21 . 2009-05-26 12:37 1924440 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-08-29 07:36 . 2005-03-23 16:53 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2005-03-23 16:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2005-03-23 16:52 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2005-03-23 16:53 247326 ----a-w- c:\windows\system32\strmdll.dll
2008-12-17 21:59 . 2009-05-06 05:37 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-17 21:59 . 2009-05-06 05:37 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-17 21:59 . 2009-05-06 05:37 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-17 21:59 . 2009-05-06 05:37 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-17 21:59 . 2009-05-06 05:37 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-05-26 133104]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-05-19 86105]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-05-19 774233]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-02 339968]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe" [2006-01-19 11776]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-08-03 124232]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2006-11-23 151552]
"CloneDVDElbyDelay"="c:\program files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" [2002-11-02 45056]
"ElbyCheckAnyDVD"="c:\program files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\MBh2TkmCX.exe" [2009-11-10 1312080]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-24 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2005-6-25 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\PCM4Everio.exe"=
"c:\\Program Files\\CyberLink\\PCM4Everio\\EverioService.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6881:TCP"= 6881:TCP:BT outgoing 1
"6882:TCP"= 6882:TCP:bt outgoing 2
"6883:TCP"= 6883:TCP:bt outgoing 3
"6884:TCP"= 6884:TCP:bt outgoing 4
"6885:TCP"= 6885:TCP:bt outgoing 5
"6886:TCP"= 6886:TCP:bt outgoing 6
"6887:TCP"= 6887:TCP:bt outgoing 7
"6888:TCP"= 6888:TCP:bt outgoing 8
"6889:TCP"= 6889:TCP:bt outgoing 9

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/11/2009 11:56 AM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys --> c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [5/4/2007 11:14 PM 40832]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [3/20/2009 6:03 PM 32408]
S3 UCharger;Energizer Usb Charger Driver;c:\windows\system32\drivers\UCharger.sys [5/15/2007 7:43 AM 13765]
.
Contents of the 'Scheduled Tasks' folder

2009-11-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 16:53]

2009-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2009-11-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-08 03:21]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4132101281-799650721-856353698-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-26 01:52]

2009-11-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4132101281-799650721-856353698-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-26 01:52]

2005-08-28 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2005-03-23 00:12]

2009-11-24 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe [2006-03-27 19:20]

2007-07-13 c:\windows\Tasks\{760C114A-5D0E-43FD-A79C-E469B3E49B5E}_PLATOUF_Owner.job
- c:\windows\system32\mobsync.exe [2005-03-23 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://e:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\kicmwawa.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.ask.com/web?o=101447&l=dis&q=
FF - component: c:\progra~1\MOZILL~1\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvirtools.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
SharedTaskScheduler-{1075ad05-38b6-429e-8dfa-fba71091806c} - (no file)
SharedTaskScheduler-{2c728fb3-df59-4ab6-b2fa-f8dd9d049b24} - (no file)
SharedTaskScheduler-{1b08d499-0606-4b01-b5ee-6afa2c55dbca} - (no file)
SharedTaskScheduler-{c4e36ca0-b6b8-4b89-b565-a3a0da5b8bf5} - (no file)
SSODL-peluteham-{0fc2d4b0-c56d-465f-8eeb-9d5228176889} - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-aawservice
SafeBoot-AVG Anti-Spyware Guard
AddRemove-Ad-Aware - c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-PictureItPrem_v10 - c:\program files\Common Files\Microsoft Shared\Picture It!\RmvSuite.exe ADDREMOVE=1 SKU=PREM
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-Sam and Max - The Mole, The Mob, and the Meatball - c:\program files\Telltale Games\Sam and Max - The Mole



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 21:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4132101281-799650721-856353698-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0FBC729A-2D77-4FE6-B744-523C006014A3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaodkedgadobafeggf"=hex:64,61,62,6f,6e,63,69,6a,00,70
"iacdklbpcihhfjlmaa"=hex:6a,61,6f,6e,68,63,69,68,6e,66,70,63,6c,64,6e,61,65,70,
6f,6b,00,fd
"haidalmggcalamfn"=hex:6a,61,6f,6e,68,63,69,68,6d,65,61,64,65,6b,6d,6f,6c,6e,
63,6f,00,fd

[HKEY_USERS\S-1-5-21-4132101281-799650721-856353698-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:43,bb,7c,29,ae,95,80,23,87,f2,86,5e,df,9f,44,21,2e,c1,d9,70,0d,71,eb,
40,8f,85,8e,35,70,e0,af,7e,45,32,c5,11,e1,2b,b0,02,45,81,e3,36,90,7e,35,ae,\
"??"=hex:e7,b1,81,b8,8a,65,d4,b5,f9,28,9c,6e,dd,91,60,5d

[HKEY_USERS\S-1-5-21-4132101281-799650721-856353698-1003\Software\SecuROM\License information*]
"datasecu"=hex:c8,cc,46,30,03,a8,ed,f8,0c,35,c7,03,48,2c,57,fc,68,b3,23,63,e7,
1d,60,3a,68,3e,c9,90,ea,2e,5e,dd,37,78,12,a5,97,d5,f6,73,42,ab,f9,7c,6c,df,\
"rkeysecu"=hex:4e,8a,d4,2b,f4,de,42,e0,15,f5,c8,2c,dd,df,87,b7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\MUSICM~1\MUSICM~2\MMDiag.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Musicmatch\Musicmatch Jukebox\mim.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-23 21:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-24 02:59

Pre-Run: 35,057,233,920 bytes free
Post-Run: 34,708,533,248 bytes free

- - End Of File - - 2D73BA4B77E267AA940D7092D485DD8B

Thanks again -

Edited by penelopet, 23 November 2009 - 10:08 PM.


#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 23 November 2009 - 10:25 PM

Hi penelopet,

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player


If you uninstalled, please navigate to and delete the following folders
C:\Program Files\Viewpoint

**********************

Please do an online scan with Kaspersky WebScanner

Attention!
Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.
If you cannot disable it, then uninstall it. You can reinstall it when the scan if finished.



Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

You can refer to this animation by sundavis if needed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 penelopet

penelopet
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 24 November 2009 - 04:38 PM

OK, I uninstalled Viewpoint Media Player. Here is the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, November 24, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, November 24, 2009 11:32:41
Records in database: 3284305
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 114512
Threats found: 19
Infected objects found: 31
Suspicious objects found: 0
Scan duration: 03:12:28


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01840000.VBN Infected: Exploit.JS.Pdfka.dh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02080000.VBN Infected: Trojan-Spy.Win32.Agent.eoi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\051C0001.VBN Infected: Exploit.HTML.IESlice.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\064C0000.VBN Infected: Trojan.Win32.Monderb.bgqo 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06C80000.VBN Infected: Trojan-Downloader.Win32.ConHook.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08A80000.VBN Infected: Trojan-Downloader.Win32.ConHook.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08B00000.VBN Infected: Exploit.JS.Pdfka.jr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\091C0000.VBN Infected: Trojan-Clicker.Win32.Agent.tg 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\091C0001.VBN Infected: Trojan-Downloader.Win32.VB.ehl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\091C0002.VBN Infected: not-a-virus:AdWare.Win32.BHO.awz 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\091C0003.VBN Infected: not-a-virus:AdWare.Win32.PurityScan.hk 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\091C0004.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\091C0005.VBN Infected: Worm.Win32.Socks.agm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0000.VBN Infected: Trojan-Downloader.Win32.ConHook.ab 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0001.VBN Infected: Trojan-Downloader.Win32.ConHook.ab 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0002.VBN Infected: Trojan-Downloader.Win32.ConHook.ab 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A0C0003.VBN Infected: Trojan-Downloader.Win32.ConHook.ab 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00000.VBN Infected: Packed.Win32.Krap.ah 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B340000.VBN Infected: Exploit.Win32.IMG-WMF.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B340001.VBN Infected: Exploit.Win32.IMG-WMF.u 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CD40009.VBN Infected: Trojan-Spy.Win32.Agent.bbqv 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CD4000F.VBN Infected: Trojan.Win32.Monder.cvau 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CE80000.VBN Infected: Exploit.HTML.IESlice.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80000.VBN Infected: Exploit.JS.Pdfka.jr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DA80001.VBN Infected: Exploit.JS.Pdfka.jr 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE80000.VBN Infected: Trojan-Downloader.Win32.ConHook.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E200000.VBN Infected: Trojan-Downloader.Win32.ConHook.aa 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E540001.VBN Infected: Exploit.HTML.IESlice.d 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E740000.VBN Infected: Exploit.JS.Pdfka.mi 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E780000.VBN Infected: Exploit.HTML.IESlice.d 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1

Selected area has been scanned.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 24 November 2009 - 05:46 PM

Hi penelopet,

Looks good. :(
The Kaspersky scan found previously quarantined files found by your antivirus and mIRC.exe which is not a virus.

I think we have you clean.
Please tell me how the computer is running.

If everything is OK, then we still have to do some program clean up.

Edited by SifuMike, 24 November 2009 - 05:47 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 penelopet

penelopet
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 24 November 2009 - 05:57 PM

Things seem to be running much better. I had a popup/redirect last night, but nothing since then. I also had so many anti-adware programs downloaded & set to run on startup that it was taking forever to boot up but this is better since I removed AVG and temporarily disabled TeaTimer... Thank you!

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 24 November 2009 - 06:06 PM

Hi penelopet,

Your very welcome. :(

Since everthing is OK, lets do the program clean up.

Delete Security Check from your desktop.

Remove Combofix now that we're done with it.
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • When shown the disclaimer, Select "2"
This will remove files/folders assoicated with combofix and uninstall it.


Please read and follow
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.


Now your good to go. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 penelopet

penelopet
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 24 November 2009 - 08:54 PM

Hmm, when I type "ComboFix /u", ComboFix opens and starts scanning. Am I doing something wrong or is there another way to uninstall it?

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 24 November 2009 - 09:55 PM

Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

    Posted Image

  • The following will implement some very important cleanup procedures as well as reset System Restore points.

Edited by SifuMike, 24 November 2009 - 10:20 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 penelopet

penelopet
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 24 November 2009 - 10:52 PM

That did it, thanks!

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 24 November 2009 - 10:56 PM

Your very welcome. :(
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:27 PM

Posted 10 December 2009 - 07:25 PM

Since your problem appears to be resolved, this thread will now be closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users