Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo Variant and Virtumonde [RESOLVED]


  • This topic is locked This topic is locked

#1
Brideshead

Brideshead

    New Member

  • Member
  • Pip
  • 7 posts
Hi there,

I'd appreciate any help with this. I appear to have Vundo Variant and Virtumonde. I've tried a number of fixes, including the usual recommended anti-spyware programs and VundoFix, for a few days now to absolutely no avail. Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:35 AM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nutrisyst.../ny05/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [5859e32a] rundll32.exe "C:\WINDOWS\system32\decvrivh.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA6870] command /c del "C:\WINDOWS\system32\sstst.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4033] cmd /c del "C:\WINDOWS\system32\sstst.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8225 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
  • 0

#3
Brideshead

Brideshead

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Yes, I do feel like an idiot for that. I've always felt pretty safe using Firefox and have never had anything happen before. Then I use Internet Explorer for the first time in months and this happens. I've learned my lesson, though.

I ran Avira, but I think I still have something, because I'm still getting some of the "symptoms."

Thanks for your help. Here are the logs:

AntiVir PersonalEdition Classic
Report file date: Tuesday, March 25, 2008 20:46

Scanning for 1165923 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: JONES

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 18:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 17:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 20:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 17:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 00:46:02
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 00:46:02
ANTIVIR3.VDF : 7.0.3.73 70656 Bytes 3/25/2008 00:46:02
AVEWIN32.DLL : 7.6.0.75 3334656 Bytes 3/26/2008 00:46:03
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 15:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 12:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 18:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 3/26/2008 00:46:03
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 12:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 17:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 12:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 16:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 17:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 17:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 14:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Tuesday, March 25, 2008 20:46

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'hpqgalry.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'BigFix.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'DesktopWeather.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'PRISMXL.SYS' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'mmtask.exe' - '1' Module(s) have been scanned
Scan process 'ALCWZRD.EXE' - '1' Module(s) have been scanned
Scan process 'SoundMan.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'zHotkey.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'shwiconEM.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
47 processes with 47 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '43' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Local Settings\Temp\uninst.tmp
[DETECTION] Is the Trojan horse TR/PSW.Perf.1.0.0
[INFO] The file was moved to '4852ac29.qua'!
C:\Documents and Settings\Owner\Local Settings\Temp\RarSFX0\basic\setup.exe
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\21WMF2K4\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cadc7.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\21WMF2K4\css4[2]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cadc8.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5Z4EP020\ptch[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '484caddc.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8C60HS04\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cadf3.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C25GZG9J\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cadfb.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GGPZYU5X\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae15.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GGPZYU5X\css4[2]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae16.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IA8YIME7\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae1f.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IA8YIME7\css4[2]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49dc1140.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\L5TJ4GGA\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae27.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OXG41KWX\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae5c.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\P4TJAWL8\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae63.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y47HFYZ6\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae86.qua'!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZA4E6RY1\css4[1]
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '485cae8d.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP813\A0037260.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ
[INFO] The file was moved to '4819b23a.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP813\A0037266.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was moved to '49641cf3.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP813\A0037267.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was moved to '4819b23b.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037273.vbs
[DETECTION] Is the Trojan horse TR/Small.WY
[INFO] The file was moved to '4819b23c.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037276.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '49641cf5.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037277.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4819b23e.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037280.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49641cf7.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037281.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b23d.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037327.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b230.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037328.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641cf9.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037341.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b232.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037342.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49641cfb.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037377.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b23f.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037378.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c88.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037379.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b240.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037392.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49641c89.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037393.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b242.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037405.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b241.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037406.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49641c8a.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037420.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b243.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037421.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c8b.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP814\A0037422.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b244.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037435.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c8c.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037438.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b245.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037439.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c8d.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037453.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b246.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037454.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c8f.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037455.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49641c8e.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037477.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b247.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037478.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c80.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037503.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b258.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037504.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c91.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037521.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b25a.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037522.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b249.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037536.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '49641c82.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP815\A0037537.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '4819b24b.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP816\A0037567.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c84.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP816\A0037570.dll
[DETECTION] Is the Trojan horse TR/Vundo.AG
[INFO] The file was moved to '4819b24d.qua'!
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP816\A0037571.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '49641c86.qua'!
C:\WINDOWS\system32\biz3\pnglift22.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '4850b47c.qua'!
Begin scan in 'D:\'


End of the scan: Tuesday, March 25, 2008 22:28
Used time: 1:41:28 min

The scan has been done completely.

6190 Scanning directories
327845 Files were scanned
55 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
55 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
327790 Files not concerned
7457 Archives were scanned
3 Warnings
20 Notes


***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:07 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nutrisyst.../ny05/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58C84256-85D6-4FCE-B569-9FA00E355E04} - (no file)
O2 - BHO: (no name) - {6D34C491-5401-5DF3-0210-5B00B6B7DB9C} - C:\WINDOWS\system32\efpex.dll (file missing)
O2 - BHO: (no name) - {73AC7ABE-756B-479F-9D7B-C71B7117FF85} - C:\WINDOWS\system32\iiiff.dll (file missing)
O2 - BHO: (no name) - {8E77EE64-E748-43DE-8DAF-CE113FD4C6C3} - C:\WINDOWS\system32\byvwx.dll (file missing)
O2 - BHO: (no name) - {A858806D-2080-433E-9457-4285388677B9} - C:\WINDOWS\system32\efccc.dll (file missing)
O2 - BHO: (no name) - {C7E5E08C-2606-424D-9A0C-F67639BE47EC} - C:\WINDOWS\system32\ljhfg.dll (file missing)
O2 - BHO: (no name) - {E105BAB1-71FF-4F58-AF46-9F4997BAD1F1} - C:\WINDOWS\system32\efecd.dll (file missing)
O2 - BHO: (no name) - {E28DC1DE-DD5B-4901-BE96-65DAE849FA93} - C:\WINDOWS\system32\khffd.dll (file missing)
O2 - BHO: (no name) - {F40CFFDC-74DC-440C-8A5D-9CCE590568FD} - C:\WINDOWS\system32\mlllk.dll (file missing)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [5859e32a] rundll32.exe "C:\WINDOWS\system32\eomgjlgf.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9916 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then,
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {58C84256-85D6-4FCE-B569-9FA00E355E04} - (no file)
O2 - BHO: (no name) - {6D34C491-5401-5DF3-0210-5B00B6B7DB9C} - C:\WINDOWS\system32\efpex.dll (file missing)
O2 - BHO: (no name) - {73AC7ABE-756B-479F-9D7B-C71B7117FF85} - C:\WINDOWS\system32\iiiff.dll (file missing)
O2 - BHO: (no name) - {8E77EE64-E748-43DE-8DAF-CE113FD4C6C3} - C:\WINDOWS\system32\byvwx.dll (file missing)
O2 - BHO: (no name) - {A858806D-2080-433E-9457-4285388677B9} - C:\WINDOWS\system32\efccc.dll (file missing)
O2 - BHO: (no name) - {C7E5E08C-2606-424D-9A0C-F67639BE47EC} - C:\WINDOWS\system32\ljhfg.dll (file missing)
O2 - BHO: (no name) - {E105BAB1-71FF-4F58-AF46-9F4997BAD1F1} - C:\WINDOWS\system32\efecd.dll (file missing)
O2 - BHO: (no name) - {E28DC1DE-DD5B-4901-BE96-65DAE849FA93} - C:\WINDOWS\system32\khffd.dll (file missing)
O2 - BHO: (no name) - {F40CFFDC-74DC-440C-8A5D-9CCE590568FD} - C:\WINDOWS\system32\mlllk.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [5859e32a] rundll32.exe "C:\WINDOWS\system32\eomgjlgf.dll",b
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
Brideshead

Brideshead

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks yet again! Here are the logs:

ComboFix 08-03-25.4 - Owner 2008-03-26 8:58:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.597 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\ECURIT~1
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\gbRve12
C:\Temp\gbRve12\csLioes.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cbefe.ini
C:\WINDOWS\system32\cbefe.ini2
C:\WINDOWS\system32\cccfe.ini
C:\WINDOWS\system32\cccfe.ini2
C:\WINDOWS\system32\cfhjl.ini
C:\WINDOWS\system32\cfhjl.ini2
C:\WINDOWS\system32\dcefe.ini
C:\WINDOWS\system32\dcefe.ini2
C:\WINDOWS\system32\dffhk.ini
C:\WINDOWS\system32\dffhk.ini2
C:\WINDOWS\system32\ffiii.ini
C:\WINDOWS\system32\ffiii.ini2
C:\WINDOWS\system32\gfhjl.ini
C:\WINDOWS\system32\gfhjl.ini2
C:\WINDOWS\system32\kkjjl.ini
C:\WINDOWS\system32\kkjjl.ini2
C:\WINDOWS\system32\klllm.ini
C:\WINDOWS\system32\klllm.ini2
C:\WINDOWS\system32\lkkmp.ini
C:\WINDOWS\system32\lkkmp.ini2
C:\WINDOWS\system32\oonpo.ini
C:\WINDOWS\system32\oonpo.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tstss.ini
C:\WINDOWS\system32\tstss.ini2
C:\WINDOWS\system32\ttvut.ini
C:\WINDOWS\system32\ttvut.ini2
C:\WINDOWS\system32\xwvyb.ini
C:\WINDOWS\system32\xwvyb.ini2
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 20:44 . 2008-03-25 20:44 <DIR> d-------- C:\Program Files\Avira
2008-03-25 20:44 . 2008-03-25 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-24 11:52 . 2008-03-24 23:00 1,578,150 ---hs---- C:\WINDOWS\system32\fgljgmoe.ini
2008-03-24 11:51 . 2008-03-24 11:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 01:04 . 2008-03-24 01:04 1,544,042 ---hs---- C:\WINDOWS\system32\poprfgrl.ini
2008-03-23 20:39 . 2008-03-24 11:47 226 --a------ C:\WINDOWS\wininit.ini
2008-03-23 18:52 . 2008-03-23 20:39 1,543,159 ---hs---- C:\WINDOWS\system32\hvirvced.ini
2008-03-23 17:45 . 2008-03-23 17:45 1,543,159 ---hs---- C:\WINDOWS\system32\maahcgys.ini
2008-03-23 14:33 . 2008-03-23 14:33 1,543,159 ---hs---- C:\WINDOWS\system32\lhriuclh.ini
2008-03-23 14:26 . 2008-03-23 14:26 <DIR> d-------- C:\VundoFix Backups
2008-03-23 13:31 . 2008-03-23 14:14 1,543,168 ---hs---- C:\WINDOWS\system32\ajvtspch.ini
2008-03-23 12:28 . 2008-03-23 12:28 1,543,159 ---hs---- C:\WINDOWS\system32\awwkymbp.ini
2008-03-23 11:24 . 2008-03-23 11:24 1,543,159 ---hs---- C:\WINDOWS\system32\pausekco.ini
2008-03-23 00:43 . 2008-03-23 00:44 1,543,159 ---hs---- C:\WINDOWS\system32\bkattxjg.ini
2008-03-22 22:22 . 2008-03-22 22:22 1,543,159 ---hs---- C:\WINDOWS\system32\adwmnink.ini
2008-03-22 16:15 . 2008-03-22 16:15 1,543,279 ---hs---- C:\WINDOWS\system32\yjgjloto.ini
2008-03-22 15:38 . 2008-03-22 16:14 1,543,219 ---hs---- C:\WINDOWS\system32\gfnxgifp.ini
2008-03-22 13:43 . 2008-03-22 13:43 1,543,159 ---hs---- C:\WINDOWS\system32\vchtcxme.ini
2008-03-22 12:41 . 2008-03-22 12:41 1,543,159 ---hs---- C:\WINDOWS\system32\dykrhrdn.ini
2008-03-22 11:37 . 2008-03-22 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 11:36 . 2008-03-22 12:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 11:36 . 2008-03-22 11:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-22 09:59 . 2008-03-22 11:34 1,543,228 ---hs---- C:\WINDOWS\system32\csuwgaly.ini
2008-03-22 00:21 . 2008-03-22 00:21 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-21 22:21 . 2008-03-21 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-21 22:20 . 2008-03-22 11:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-21 21:47 . 2008-03-21 23:24 <DIR> d-------- C:\Program Files\nvcoi
2008-03-21 21:47 . 2008-03-26 08:16 <DIR> d-------- C:\Program Files\CPV
2008-03-21 21:43 . 2008-03-22 12:31 <DIR> d--hs---- C:\WINDOWS\Um9tYW4gU3Rvcnplcg
2008-03-21 21:43 . 2008-03-21 23:24 <DIR> d-------- C:\WINDOWS\system32\usnv
2008-03-21 21:43 . 2008-03-21 21:43 <DIR> d-------- C:\WINDOWS\system32\idme
2008-03-21 21:43 . 2008-03-21 23:24 <DIR> d-------- C:\WINDOWS\system32\FxTmp
2008-03-21 21:43 . 2008-03-25 22:25 <DIR> d-------- C:\WINDOWS\system32\biz3
2008-03-21 21:43 . 2008-03-21 21:43 <DIR> d-------- C:\WINDOWS\system32\aqVreo01
2008-03-21 21:43 . 2008-03-21 21:43 44,032 --a------ C:\WINDOWS\system32\nnnmnkl.dll.vir
2008-03-15 08:43 . 2008-03-15 08:43 32,768 --a------ C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 22:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-22 15:13 --------- d-----w C:\Program Files\Google
2008-03-22 02:21 --------- d-----w C:\Program Files\Lavasoft
2008-03-22 02:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-27 03:12 --------- d-----w C:\Program Files\The Weather Channel FW
2008-02-23 02:23 --------- d-----w C:\Program Files\iTunes
2008-02-23 02:22 --------- d-----w C:\Program Files\iPod
2008-02-23 02:13 --------- d-----w C:\Program Files\QuickTime
2005-01-21 03:23 45,056 ------r C:\Program Files\SetAttrib.exe
2004-11-30 09:53 40,960 ------r C:\Program Files\delete.exe
2005-06-19 04:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51 715888]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 19:04 135168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 19:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 19:51 118784]
"CHotkey"="zHotkey.exe" [2004-05-17 22:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 13:09 36864 C:\WINDOWS\ShowWnd.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42 32768]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [ ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"AlcFDMonitor"="C:\WINDOWS\ALCFDRTM.EXE" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 14:00 90112 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 14:00 2805248 C:\WINDOWS\ALCWZRD.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 09:58 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-18 13:04 185632]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-25 20:46 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2005-03-22 19:10:15 1742384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Documents and Settings\\Owner\\Local Settings\\Temp\\hp_gr_scan_update\\Setup\\DeviceCheck.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\icuii\\ICUII5.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-04-08 10:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 00:40:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 09:03:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
.
**************************************************************************
.
Completion time: 2008-03-26 9:07:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 13:07:29
.
2008-03-20 04:32:45 --- E O F ---

***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:40 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nutrisyst.../ny05/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7637 bytes
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

I see you have your Windows Firewall disabled. Please enable it again.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\fgljgmoe.ini
C:\WINDOWS\wininit.ini
C:\WINDOWS\system32\hvirvced.ini
C:\WINDOWS\system32\maahcgys.ini
C:\WINDOWS\system32\lhriuclh.ini
C:\WINDOWS\system32\ajvtspch.ini
C:\WINDOWS\system32\awwkymbp.ini
C:\WINDOWS\system32\pausekco.ini
C:\WINDOWS\system32\bkattxjg.ini
C:\WINDOWS\system32\adwmnink.ini
C:\WINDOWS\system32\yjgjloto.ini
C:\WINDOWS\system32\gfnxgifp.ini
C:\WINDOWS\system32\vchtcxme.ini
C:\WINDOWS\system32\dykrhrdn.ini
C:\WINDOWS\system32\csuwgaly.ini
C:\WINDOWS\system32\nnnmnkl.dll.vir
Folder::
C:\VundoFix Backups
C:\Program Files\nvcoi
C:\Program Files\CPV
C:\WINDOWS\Um9tYW4gU3Rvcnplcg
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\idme
C:\WINDOWS\system32\FxTmp
C:\WINDOWS\system32\biz3
C:\WINDOWS\system32\aqVreo01


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#7
Brideshead

Brideshead

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks, here are the logs:

ComboFix 08-03-25.4 - Owner 2008-03-26 9:23:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.566 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\adwmnink.ini
C:\WINDOWS\system32\ajvtspch.ini
C:\WINDOWS\system32\awwkymbp.ini
C:\WINDOWS\system32\bkattxjg.ini
C:\WINDOWS\system32\csuwgaly.ini
C:\WINDOWS\system32\dykrhrdn.ini
C:\WINDOWS\system32\fgljgmoe.ini
C:\WINDOWS\system32\gfnxgifp.ini
C:\WINDOWS\system32\hvirvced.ini
C:\WINDOWS\system32\lhriuclh.ini
C:\WINDOWS\system32\maahcgys.ini
C:\WINDOWS\system32\nnnmnkl.dll.vir
C:\WINDOWS\system32\pausekco.ini
C:\WINDOWS\system32\vchtcxme.ini
C:\WINDOWS\system32\yjgjloto.ini
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\CPV
C:\Program Files\nvcoi
C:\Program Files\nvcoi\mst.stt
C:\VundoFix Backups
C:\WINDOWS\system32\adwmnink.ini
C:\WINDOWS\system32\ajvtspch.ini
C:\WINDOWS\system32\aqVreo01
C:\WINDOWS\system32\aqVreo01\aqVreo011065.exe
C:\WINDOWS\system32\awwkymbp.ini
C:\WINDOWS\system32\biz3
C:\WINDOWS\system32\bkattxjg.ini
C:\WINDOWS\system32\csuwgaly.ini
C:\WINDOWS\system32\dykrhrdn.ini
C:\WINDOWS\system32\fgljgmoe.ini
C:\WINDOWS\system32\FxTmp
C:\WINDOWS\system32\gfnxgifp.ini
C:\WINDOWS\system32\hvirvced.ini
C:\WINDOWS\system32\idme
C:\WINDOWS\system32\idme\TGbn1dll.exe
C:\WINDOWS\system32\lhriuclh.ini
C:\WINDOWS\system32\maahcgys.ini
C:\WINDOWS\system32\nnnmnkl.dll.vir
C:\WINDOWS\system32\pausekco.ini
C:\WINDOWS\system32\usnv
C:\WINDOWS\system32\vchtcxme.ini
C:\WINDOWS\system32\yjgjloto.ini
C:\WINDOWS\Um9tYW4gU3Rvcnplcg
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 20:44 . 2008-03-25 20:44 <DIR> d-------- C:\Program Files\Avira
2008-03-25 20:44 . 2008-03-25 20:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-24 11:51 . 2008-03-24 11:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 01:04 . 2008-03-24 01:04 1,544,042 ---hs---- C:\WINDOWS\system32\poprfgrl.ini
2008-03-22 11:37 . 2008-03-22 11:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-22 11:36 . 2008-03-22 12:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-22 11:36 . 2008-03-22 11:36 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-22 00:21 . 2008-03-22 00:21 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-03-21 22:21 . 2008-03-21 22:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-21 22:20 . 2008-03-22 11:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-24 05:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 22:59 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-22 15:13 --------- d-----w C:\Program Files\Google
2008-03-22 02:21 --------- d-----w C:\Program Files\Lavasoft
2008-03-22 02:21 --------- d-----w C:\Documents and Settings\Owner\Application Data\Lavasoft
2008-02-27 03:12 --------- d-----w C:\Program Files\The Weather Channel FW
2008-02-23 02:23 --------- d-----w C:\Program Files\iTunes
2008-02-23 02:22 --------- d-----w C:\Program Files\iPod
2008-02-23 02:13 --------- d-----w C:\Program Files\QuickTime
2005-01-21 03:23 45,056 ------r C:\Program Files\SetAttrib.exe
2004-11-30 09:53 40,960 ------r C:\Program Files\delete.exe
2005-06-19 04:47 0 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13 1207080]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51 715888]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-11-15 19:04 135168]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 15:50 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-08-20 19:55 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-20 19:51 118784]
"CHotkey"="zHotkey.exe" [2004-05-17 22:30 543232 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 13:09 36864 C:\WINDOWS\ShowWnd.exe]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 23:42 32768]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" [ ]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54 241664]
"AlcFDMonitor"="C:\WINDOWS\ALCFDRTM.EXE" [ ]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 14:00 90112 C:\WINDOWS\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 14:00 2805248 C:\WINDOWS\ALCWZRD.EXE]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15 221184]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 09:58 53248]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-18 13:04 185632]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-25 20:46 249896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2005-03-22 19:10:15 1742384]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36 53248]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\StubInstaller.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\icuii\\ICUII5.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 XIRLINK;Veo PC Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2002-04-08 10:57]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-22 00:40:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 09:24:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-26 9:25:19
ComboFix-quarantined-files.txt 2008-03-26 13:25:03
ComboFix2.txt 2008-03-26 13:07:32
.
2008-03-20 04:32:45 --- E O F ---


***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:11 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nutrisyst.../ny05/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AlcFDMonitor] C:\WINDOWS\ALCFDRTM.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....302/Coupons.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7522 bytes
  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#9
Brideshead

Brideshead

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks so much for your help! Things appear to be running well. I'm not getting the pop-up windows when I run the browser anymore. And when it boots up, it doesn't seem to give me the DLL errors. I ran a quick scan using SuperAntiSpyware (will run full scans tonight, but I have to leave for work now) and the only thing it found was tracking cookies.

THANK YOU!
  • 0

#10
Brideshead

Brideshead

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks so much for your help! Things appear to be running well. I'm not getting the pop-up windows when I run the browser anymore. And when it boots up, it doesn't seem to give me the DLL errors. I ran a quick scan using SuperAntiSpyware (will run full scans tonight, but I have to leave for work now) and the only thing it found was tracking cookies.

THANK YOU!

Edited by Brideshead, 26 March 2008 - 07:58 AM.

  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#12
Brideshead

Brideshead

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks again, that's all very helpful. I ran some scans and everything seems to be clean. Oddly, the anti-virus program found a trojan when I wasn't doing anything but scanning. Other than that, I appear to be safe again! Thanks again.
  • 0

#13
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
You're most welcome :)
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP