Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Trojan.Vundo.H, Trojan.BHO can't be removed [Solved]

Started by shuh08 , Dec 02 2008 09:02 PM

This topic is locked

#1
shuh08

Posted 02 December 2008 - 09:02 PM

New Member

Member
8 posts

This forum is amazing thank you so much for taking your time to do this.

I get dll errors popping up everytime I restart my computer. As soon as I open IE explorer the Antivirus 2009 page keeps coming back. I have used Malwarebytes but unsuccessful. I've followed your prepatory steps before posting and have attached a hijackthis log and malwarebytes log.

Thank you for your help, greatly appreciated.

Attached Files

mbam_log_2008_12_02__21_50_43_.txt 2.48KB 434 downloads
hijackthis.txt 9.94KB 504 downloads

Edited by shuh08, 02 December 2008 - 09:10 PM.

#2
emeraldnzl

Posted 05 December 2008 - 01:21 PM

GeekU Instructor

GeekU Moderator
20,051 posts

I am posting these in the thread. Easier to read.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:57 PM, on 12/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ShopGuide Class - {3CB0CF42-DA54-47d2-8999-23928A2DEA42} - c:\program files\ShopGuide\shpguide9e_C.dll
O2 - BHO: (no name) - {54889ac2-0503-4649-86df-d76cb429e256} - C:\WINDOWS\system32\wejiwulo.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: WebGuide Class - {F90BB714-01B6-438B-8993-F6E46ACBFA24} - C:\Program Files\WebGuide\webguide7b_C.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [ferefuroma] Rundll32.exe "C:\WINDOWS\system32\rodudaya.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ¼¥°¡ÀÌµå - {EC9679F6-42B7-4593-9E1C-AF421066C123} - http://www.shop-guide.co.kr (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...mageUpload2.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkins...orku.ca/qp2.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1228272956890
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://app.tubemusic...aver/naverx.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.co...lineService.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandor...ora_SetUpAX.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\dararudi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
O24 - Desktop Component 10: (no name) - (no file)
O24 - Desktop Component 11: (no name) - (no file)
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Charles\Desktop\more photos\DSC03299_-_Copy.JPG
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 3: (no name) - (no file)
O24 - Desktop Component 4: (no name) - (no file)
O24 - Desktop Component 5: (no name) - (no file)
O24 - Desktop Component 6: (no name) - (no file)
O24 - Desktop Component 7: (no name) - (no file)
O24 - Desktop Component 8: (no name) - (no file)
O24 - Desktop Component 9: (no name) - (no file)

--
End of file - 10172 bytes

#3
emeraldnzl

Posted 05 December 2008 - 01:22 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Malwarebytes' Anti-Malware 1.30
Database version: 1423
Windows 5.1.2600 Service Pack 2

12/2/2008 9:50:43 PM
mbam-log-2008-12-02 (21-50-43).txt

Scan type: Quick Scan
Objects scanned: 53054
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bulawasi.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54889ac2-0503-4649-86df-d76cb429e256} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54889ac2-0503-4649-86df-d76cb429e256} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm23c5db3a (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ferefuroma (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\bulawasi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\bulawasi.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\wejiwulo.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\system32\bulawasi.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\rodudaya.dll (Trojan.Agent) -> Delete on reboot.

#4
emeraldnzl

Posted 05 December 2008 - 01:29 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello shuh08,

Welcome to Geekstogo.

Sorry about the delay.

One thing; unless otherwise instructed please post in the forum rather than use an attachment. Makes it easier for us to analyse.

Now turning to your problem.

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Next

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt together with a new HijackThis log in your next reply.

#5
shuh08

Posted 05 December 2008 - 04:55 PM

New Member

Topic Starter
Member
8 posts

Thank you for your response in the matter

here are the logs.

ComboFix 08-12-05.02 - Charles 2008-12-05 17:39:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT -5:00]
Running from: c:\documents and settings\Charles\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\bahabona.dll
c:\windows\system32\bahezido.dll
c:\windows\system32\bekozije.dll
c:\windows\system32\boriraka.dll
c:\windows\system32\butazaji.dll
c:\windows\system32\ezalujaj.ini
c:\windows\system32\jajulaze.dll
c:\windows\system32\jilosuka.dll
c:\windows\system32\jowudosu.dll
c:\windows\system32\kodesalo.dll
c:\windows\system32\liwuwuto.dll
c:\windows\system32\rahupeke.dll
c:\windows\system32\roboketu.dll
c:\windows\system32\rosukezo.dll
c:\windows\system32\sujuwido.dll
c:\windows\system32\suteniro.dll
c:\windows\system32\tumaveko.dll
c:\windows\system32\veregofu.dll

----- BITS: Possible infected sites -----

hxxp://download.linksys.com
.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-05 13:50 . 2008-12-05 13:50 <DIR> d-------- c:\program files\ERUNT
2008-12-03 15:08 . 2008-12-03 15:08 <DIR> d-------- C:\FormOver
2008-12-02 21:56 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:56 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:56 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:56 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 21:42 . 2008-12-02 21:42 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 02:50 . 2008-12-01 02:50 <DIR> d-------- C:\VundoFix Backups
2008-11-25 18:36 . 2008-11-25 18:36 <DIR> d-------- c:\documents and settings\Charles\Application Data\Malwarebytes
2008-11-25 18:35 . 2008-11-25 18:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-25 18:35 . 2008-11-25 18:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-25 18:35 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-25 18:35 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 18:05 . 2008-12-05 17:44 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 18:27 . 2008-11-17 18:27 <DIR> d-------- c:\program files\BitPim
2008-11-13 01:13 . 2008-11-13 01:13 <DIR> d-------- c:\program files\Audacity
2008-11-13 00:48 . 2008-11-13 01:10 <DIR> d-------- c:\documents and settings\Charles\Application Data\Download Manager
2008-11-09 16:00 . 2008-11-09 16:00 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-26 21:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 21:09 --------- d-----w c:\program files\DivX
2008-11-26 21:07 --------- d-----w c:\program files\Common Files\Real
2008-11-25 23:58 --------- d-----w c:\documents and settings\Charles\Application Data\Lavasoft
2008-11-09 21:01 58,896 ----a-w c:\documents and settings\Charles\Application Data\GDIPFONTCACHEV1.DAT
2008-10-27 19:33 --------- d-----w c:\program files\QuickInvoice
2008-10-27 19:32 --------- d-----w c:\program files\PeerGuardian2
2008-10-27 19:32 --------- d-----w c:\program files\BitTorrent
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 04:27 --------- d-----w c:\program files\quincy
2008-10-08 02:32 --------- d-----w c:\program files\Common Files\TI Shared
2008-10-08 02:31 --------- d-----w c:\program files\Common Files\Vernier Software
2008-10-08 02:29 --------- d-----w c:\program files\Vernier Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-21 3481600]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-02-04 536576]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

c:\documents and settings\Charles\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-07 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
Source= c:\documents and settings\Charles\Desktop\more photos\DSC03299_-_Copy.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"aux"= ctwdm32.dll
"vidc.ffds"= ffdshow.ax
"aux4"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52000:TCP"= 52000:TCP:Monkey3
"52000:UDP"= 52000:UDP:Monkey3
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S2 shpsv;Shop-Guide Updater Service;c:\windows\system32\svchost.exe -k rewardnet [2004-08-03 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys []
S3 f_kp;f_kp;\??\c:\windows\system32\drivers\f_kp.sys [2007-10-25 4598]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WebGuide REG_MULTI_SZ websv
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{54889ac2-0503-4649-86df-d76cb429e256} - c:\windows\system32\veregofu.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {EC9679F6-42B7-4593-9E1C-AF421066C123} - http://www.shop-guide.co.kr
IE: {EC9679F6-42B7-4593-9E1C-AF421066C123} - http://www.shop-guide.co.kr -

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\CyImage2.dll
O16 -: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9}
hxxp://cyimg7.cyworld.nate.com/ImageUpload/CyImageUpload2.cab
c:\windows\Downloaded Program Files\CyImage2.inf

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf

c:\windows\Downloaded Program Files\ipopx.dll - O16 -: {92D0D610-A6FA-48D8-94CB-BD47FDF68655}
hxxp://app.tubemusic.com/naver/naverx.cab
c:\windows\Downloaded Program Files\naverx.inf

c:\windows\system32\atl.dll - c:\windows\system32\skcbgmset.dll
O16 -: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1}
hxxp://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
c:\windows\Downloaded Program Files\skcbgmset.inf

c:\windows\Downloaded Program Files\touchbrowser.ocx - c:\windows\system32\TouchWeb.dll
c:\windows\Downloaded Program Files\Touch.ocx
c:\windows\Downloaded Program Files\PlayerCue.ocx
c:\windows\Downloaded Program Files\iMBCTree.ocx
c:\windows\Downloaded Program Files\iMBCSWF.ocx
c:\windows\Downloaded Program Files\iMBCPopup.ocx
c:\windows\Downloaded Program Files\iMBCImageView.ocx
c:\windows\Downloaded Program Files\iMBCGraph.ocx
c:\windows\Downloaded Program Files\iMBCDownload.ocx
c:\windows\Downloaded Program Files\iMBCControl.ocx
c:\windows\Downloaded Program Files\iMBCContents.ocx
O16 -: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5}
hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
c:\windows\Downloaded Program Files\touchbrowser.inf

c:\windows\system32\Pandora_SetUpAX.ocx - O16 -: {F4A1D5E2-AF49-47A7-A945-23038106F3A4}
hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
c:\windows\Downloaded Program Files\Pandora_SetUpAX.inf
FireFox -: Profile - c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\08edqprk.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 17:42:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Pure Networks\Network Magic\nmsrvc.exe
c:\windows\system32\devldr32.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-05 17:48:36 - machine was rebooted [Charles]
ComboFix-quarantined-files.txt 2008-12-05 22:48:16

Pre-Run: 4,691,304,448 bytes free
Post-Run: 7,374,929,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

233

#6
shuh08

Posted 05 December 2008 - 04:59 PM

New Member

Topic Starter
Member
8 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:54:04 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ¼¥°¡ÀÌµå - {EC9679F6-42B7-4593-9E1C-AF421066C123} - http://www.shop-guide.co.kr (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...mageUpload2.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkins...orku.ca/qp2.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1228272956890
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://app.tubemusic...aver/naverx.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.co...lineService.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandor...ora_SetUpAX.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
O24 - Desktop Component 10: (no name) - (no file)
O24 - Desktop Component 11: (no name) - (no file)
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Charles\Desktop\more photos\DSC03299_-_Copy.JPG
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 3: (no name) - (no file)
O24 - Desktop Component 4: (no name) - (no file)
O24 - Desktop Component 5: (no name) - (no file)
O24 - Desktop Component 6: (no name) - (no file)
O24 - Desktop Component 7: (no name) - (no file)
O24 - Desktop Component 8: (no name) - (no file)
O24 - Desktop Component 9: (no name) - (no file)

--
End of file - 9835 bytes

#7
emeraldnzl

Posted 05 December 2008 - 05:56 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hi shuh08,

I take it the photos on your desktop are of your choosing. Sometimes malware will put things there. I will remove the entries with no files but leave the current one.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: ¼¥°¡ÀÌµå - {EC9679F6-42B7-4593-9E1C-AF421066C123} - http://www.shop-guide.co.kr (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
O24 - Desktop Component 10: (no name) - (no file)
O24 - Desktop Component 11: (no name) - (no file)
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 3: (no name) - (no file)
O24 - Desktop Component 4: (no name) - (no file)
O24 - Desktop Component 5: (no name) - (no file)
O24 - Desktop Component 6: (no name) - (no file)
O24 - Desktop Component 7: (no name) - (no file)
O24 - Desktop Component 8: (no name) - (no file)
O24 - Desktop Component 9: (no name) - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Now

Your Java is out of date, older versions are vunerable to attack.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Next

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
Firefox::
FireFox -: Profile - C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\test\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
Folder::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt together with a fresh HijackThis log which I will require in your next reply.

#8
shuh08

Posted 05 December 2008 - 06:21 PM

New Member

Topic Starter
Member
8 posts

Did everything according to your instructions, here are the logs:

ComboFix 08-12-05.02 - Charles 2008-12-05 19:16:02.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.595 [GMT -5:00]
Running from: c:\documents and settings\Charles\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Charles\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-05 19:13 . 2008-12-05 19:13 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-05 19:13 . 2008-12-05 19:13 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-05 13:50 . 2008-12-05 13:50 <DIR> d-------- c:\program files\ERUNT
2008-12-03 15:08 . 2008-12-03 15:08 <DIR> d-------- C:\FormOver
2008-12-02 21:56 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-02 21:56 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-02 21:56 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-02 21:56 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-02 21:42 . 2008-12-02 21:42 <DIR> d-------- c:\program files\Trend Micro
2008-12-01 02:50 . 2008-12-01 02:50 <DIR> d-------- C:\VundoFix Backups
2008-11-25 18:36 . 2008-11-25 18:36 <DIR> d-------- c:\documents and settings\Charles\Application Data\Malwarebytes
2008-11-25 18:35 . 2008-11-25 18:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-25 18:35 . 2008-11-25 18:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-25 18:35 . 2008-10-22 16:27 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-25 18:35 . 2008-10-22 16:27 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 18:05 . 2008-12-05 17:44 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-17 18:27 . 2008-11-17 18:27 <DIR> d-------- c:\program files\BitPim
2008-11-13 01:13 . 2008-11-13 01:13 <DIR> d-------- c:\program files\Audacity
2008-11-13 00:48 . 2008-11-13 01:10 <DIR> d-------- c:\documents and settings\Charles\Application Data\Download Manager
2008-11-09 16:00 . 2008-11-09 16:00 <DIR> d-------- c:\program files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-06 00:13 --------- d-----w c:\program files\Java
2008-11-26 21:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-26 21:09 --------- d-----w c:\program files\DivX
2008-11-26 21:07 --------- d-----w c:\program files\Common Files\Real
2008-11-25 23:58 --------- d-----w c:\documents and settings\Charles\Application Data\Lavasoft
2008-11-09 21:01 58,896 ----a-w c:\documents and settings\Charles\Application Data\GDIPFONTCACHEV1.DAT
2008-10-27 19:33 --------- d-----w c:\program files\QuickInvoice
2008-10-27 19:32 --------- d-----w c:\program files\PeerGuardian2
2008-10-27 19:32 --------- d-----w c:\program files\BitTorrent
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-14 04:27 --------- d-----w c:\program files\quincy
2008-10-08 02:32 --------- d-----w c:\program files\Common Files\TI Shared
2008-10-08 02:31 --------- d-----w c:\program files\Common Files\Vernier Software
2008-10-08 02:29 --------- d-----w c:\program files\Vernier Software
.

((((((((((((((((((((((((((((( snapshot@2008-12-05_17.47.36.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 17:02:28 163,328 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-05\ERDNT.EXE
+ 2008-12-05 22:44:20 6,287,360 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-05\Users\00000001\NTUSER.DAT
+ 2008-12-05 22:44:21 110,592 ----a-w c:\windows\ERDNT\AutoBackup\2008-12-05\Users\00000002\UsrClass.dat
- 2006-12-15 06:30:58 49,248 ----a-w c:\windows\system32\java.exe
+ 2008-12-06 00:13:23 144,792 ----a-w c:\windows\system32\java.exe
- 2006-12-15 06:31:06 53,346 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-06 00:13:23 144,792 ----a-w c:\windows\system32\javaw.exe
- 2006-12-15 08:09:14 127,078 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-06 00:13:23 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-06 00:13:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_8cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-21 3481600]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2005-08-12 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-05 136600]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 321088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-02-04 536576]
"WINDVDPatch"="CTHELPER.EXE" [2002-07-02 c:\windows\system32\CTHELPER.EXE]

c:\documents and settings\Charles\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-07 113664]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\12]
Source= c:\documents and settings\Charles\Desktop\more photos\DSC03299_-_Copy.JPG
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= l3codecp.acm
"aux"= ctwdm32.dll
"vidc.ffds"= ffdshow.ax
"aux4"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\WINDOWS\\system32\\pdrtvsvr.exe"=
"c:\\WINDOWS\\system32\\skcbgm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52000:TCP"= 52000:TCP:Monkey3
"52000:UDP"= 52000:UDP:Monkey3
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 AON325;AOpen AON-325 10/100M Fast Ethernet PCI Adapter Driver;c:\windows\system32\DRIVERS\AON325.SYS [2003-01-22 46976]
S2 shpsv;Shop-Guide Updater Service;c:\windows\system32\svchost.exe -k rewardnet [2004-08-03 14336]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys []
S3 f_kp;f_kp;\??\c:\windows\system32\drivers\f_kp.sys [2007-10-25 4598]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WebGuide REG_MULTI_SZ websv

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 14:42]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

c:\windows\system32\unicows.dll - c:\windows\Downloaded Program Files\CyImage2.dll
O16 -: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9}
hxxp://cyimg7.cyworld.nate.com/ImageUpload/CyImageUpload2.cab
c:\windows\Downloaded Program Files\CyImage2.inf

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf

c:\windows\Downloaded Program Files\ipopx.dll - O16 -: {92D0D610-A6FA-48D8-94CB-BD47FDF68655}
hxxp://app.tubemusic.com/naver/naverx.cab
c:\windows\Downloaded Program Files\naverx.inf

c:\windows\system32\atl.dll - c:\windows\system32\skcbgmset.dll
O16 -: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1}
hxxp://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
c:\windows\Downloaded Program Files\skcbgmset.inf

c:\windows\Downloaded Program Files\touchbrowser.ocx - c:\windows\system32\TouchWeb.dll
c:\windows\Downloaded Program Files\Touch.ocx
c:\windows\Downloaded Program Files\PlayerCue.ocx
c:\windows\Downloaded Program Files\iMBCTree.ocx
c:\windows\Downloaded Program Files\iMBCSWF.ocx
c:\windows\Downloaded Program Files\iMBCPopup.ocx
c:\windows\Downloaded Program Files\iMBCImageView.ocx
c:\windows\Downloaded Program Files\iMBCGraph.ocx
c:\windows\Downloaded Program Files\iMBCDownload.ocx
c:\windows\Downloaded Program Files\iMBCControl.ocx
c:\windows\Downloaded Program Files\iMBCContents.ocx
O16 -: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5}
hxxp://touch.imbc.com/ActiveX/iMBCOnlineService.cab
c:\windows\Downloaded Program Files\touchbrowser.inf

c:\windows\system32\Pandora_SetUpAX.ocx - O16 -: {F4A1D5E2-AF49-47A7-A945-23038106F3A4}
hxxp://imgcdn.pandora.tv/pan_img/launcher/codebase/Pandora_SetUpAX.cab
c:\windows\Downloaded Program Files\Pandora_SetUpAX.inf
FireFox -: Profile - c:\documents and settings\Charles\Application Data\Mozilla\Firefox\Profiles\08edqprk.default\
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 19:17:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-05 19:19:09
ComboFix-quarantined-files.txt 2008-12-06 00:18:13
ComboFix2.txt 2008-12-05 22:48:38

Pre-Run: 7,249,813,504 bytes free
Post-Run: 7,255,142,400 bytes free

200

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:05 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...mageUpload2.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkins...orku.ca/qp2.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1228272956890
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://app.tubemusic...aver/naverx.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.co...lineService.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandor...ora_SetUpAX.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O24 - Desktop Component 0: (no name) - (no file)
O24 - Desktop Component 1: (no name) - (no file)
O24 - Desktop Component 10: (no name) - (no file)
O24 - Desktop Component 11: (no name) - (no file)
O24 - Desktop Component 12: (no name) - C:\Documents and Settings\Charles\Desktop\more photos\DSC03299_-_Copy.JPG
O24 - Desktop Component 2: (no name) - (no file)
O24 - Desktop Component 3: (no name) - (no file)
O24 - Desktop Component 4: (no name) - (no file)
O24 - Desktop Component 5: (no name) - (no file)
O24 - Desktop Component 6: (no name) - (no file)
O24 - Desktop Component 7: (no name) - (no file)
O24 - Desktop Component 8: (no name) - (no file)
O24 - Desktop Component 9: (no name) - (no file)

--
End of file - 9713 bytes

#9
emeraldnzl

Posted 05 December 2008 - 08:42 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Please read this post completely, it may make it easier if you copy and paste this post to a new text document or print it for reference later. This will especially help you when your computer is off line.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.

#10
shuh08

Posted 05 December 2008 - 10:54 PM

New Member

Topic Starter
Member
8 posts

Hopefully this fixed everything? I want to thank you guys very much for your voluntary hard work. I was reading up on the GeekU page and I am very interested in trying to get an education from you guys, I would definitely want to give back to the community.

here's the log:

SDFix: Version 1.240
Run by Administrator on Fri 12/05/2008 at 11:34 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 23:39:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:0fe50db9
"s2"=dword:3f58ecbc
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:da,53,34,8e,a6,6f,c6,e1,4b,f5,b5,d3,34,29,3a,3d,77,db,8d,5f,b0,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:da,53,34,8e,a6,6f,c6,e1,4b,f5,b5,d3,34,29,3a,3d,77,db,8d,5f,b0,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\WINDOWS\\system32\\pdrtvsvr.exe"="C:\\WINDOWS\\system32\\pdrtvsvr.exe:*:Enabled:PandoraTV VoD Control"
"C:\\WINDOWS\\system32\\skcbgm.exe"="C:\\WINDOWS\\system32\\skcbgm.exe:*:Enabled:SK Communications Cyworld BGM Player"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"="C:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe:*:Enabled:WinDVD"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe:*:Enabled:cli"
"C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe"="C:\\Program Files\\Pure Networks\\Network Magic\\nmsrvc.exe:LocalSubNet:Enabled:Pure Networks Network Magic Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"

Remaining Files :

Files with Hidden Attributes :

Mon 1 Sep 2008 65,588 A.SH. --- "C:\WINDOWS\system32\dararudi.dll.tmp"
Thu 4 Sep 2008 64,053 A.SH. --- "C:\WINDOWS\system32\jalopeya.dll.tmp"
Thu 4 Sep 2008 64,053 A.SH. --- "C:\WINDOWS\system32\jawegafa.dll.tmp"
Thu 4 Sep 2008 64,053 A.SH. --- "C:\WINDOWS\system32\kawenola.dll.tmp"
Thu 4 Sep 2008 64,565 A.SH. --- "C:\WINDOWS\system32\wopebulu.dll.tmp"
Mon 25 Aug 2008 60,416 A.SH. --- "C:\WINDOWS\system32\wuniferi.dll.tmp"
Tue 22 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 15 Oct 2007 50,688 ...H. --- "C:\Documents and Settings\Charles\My Documents\~WRL2143.tmp"
Tue 7 Oct 2008 65,536 A..H. --- "C:\Documents and Settings\Charles\Desktop\PHYSICS\LP342i for PC\~WRL1232.tmp"

Finished!

#11
emeraldnzl

Posted 05 December 2008 - 11:54 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Unless I am missing something I don't see and anti-virus program or firewall on your computer.

Before we do anything else please download and install one of these good antivirus programs (these are free for personal use):

You should also have a good firewall. Choose one from these that are free for personal use:

Comodo Note:Comodo Firewall is no longer available as a stand-alone download and you should choose firewall only during installation.
PC Tools Firewall Plus

It is critical to have both a firewall and anti virus to protect your system.

Download all updates for your antivirus and then run a full scan of your computer. Save the results of the scan and then let the program fix all problems it finds. Post results of the scan back here.

#12
shuh08

Posted 08 December 2008 - 01:27 AM

New Member

Topic Starter
Member
8 posts

ok installed avira and comodo, ran a scan with avira, it actually found over 90 different trojans....

here's the log:
***I wasn't sure what to do when it prompted me to take action, so i just arbitrarily deleted some, and let the rest be quarantined, I'm not too sure what is best to do?

Avira AntiVir Personal
Report file date: Sunday, December 07, 2008 18:15

Scanning for 1076607 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: SHYN

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 12/7/2008 23:03:12
ANTIVIR2.VDF : 7.1.0.198 2048 Bytes 12/7/2008 23:03:13
ANTIVIR3.VDF : 7.1.0.199 2048 Bytes 12/7/2008 23:03:13
Engineversion : 8.2.0.42
AEVDF.DLL : 8.1.0.6 102772 Bytes 10/14/2008 16:05:56
AESCRIPT.DLL : 8.1.1.17 336251 Bytes 12/7/2008 23:03:21
AESCN.DLL : 8.1.1.5 123251 Bytes 11/7/2008 21:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 15:41:39
AEOFFICE.DLL : 8.1.0.32 196987 Bytes 12/7/2008 23:03:20
AEHEUR.DLL : 8.1.0.74 1519990 Bytes 12/7/2008 23:03:19
AEHELP.DLL : 8.1.2.0 119159 Bytes 12/7/2008 23:03:16
AEGEN.DLL : 8.1.1.6 323955 Bytes 12/7/2008 23:03:15
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 12/7/2008 23:03:14
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, December 07, 2008 18:15

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'rapimgr.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'RegMech.exe' - '1' Module(s) have been scanned
Scan process 'VeohClient.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wcescomm.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'cfp.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SSMMgr.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'nmapp.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'CTHELPER.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'CLI.exe' - '1' Module(s) have been scanned
Scan process 'nmsrvc.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'HPZipm12.exe' - '1' Module(s) have been scanned
Scan process 'mdm.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
49 processes with 49 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '60' files ).

Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Charles\Desktop\New Downloaded Music\Chris Lake - Carry me away (Original Club Mix).mp3
[DETECTION] Contains recognition pattern of the EXP/ASF.GetCodec.Gen exploit
[NOTE] The file was deleted!
C:\Program Files\Mozilla Firefox\dz69dv.exe
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '497260a9.qua'!
C:\Program Files\Mozilla Firefox\y6crot.exe
[DETECTION] Contains recognition pattern of the WORM/Mytob.get worm
[NOTE] The file was moved to '499f606b.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bahabona.dll.vir
[DETECTION] Is the TR/Vundo.GBB Trojan
[NOTE] The file was moved to '49a4728c.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bekozije.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49a77296.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\boriraka.dll.vir
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49ae72a4.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\jowudosu.dll.vir
[DETECTION] Is the TR/PSW.Magania.alwj Trojan
[NOTE] The file was moved to '49b372a8.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\kodesalo.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\liwuwuto.dll.vir
[DETECTION] Is the TR/Vundo.GBB Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rahupeke.dll.vir
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\rosukezo.dll.vir
[DETECTION] Is the TR/Vundo.NH Trojan
[NOTE] The file was moved to '49af72b7.qua'!
C:\Qoobox\Quarantine\C\WINDOWS\system32\sujuwido.dll.vir
[DETECTION] Is the TR/Vundo.GBB Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\suteniro.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200106.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200107.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200108.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200109.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200110.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200111.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200112.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200113.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200114.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200115.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200116.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200117.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72c2.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200118.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72c4.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200119.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72c6.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200120.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72c8.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200122.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72cb.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200123.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72cd.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200124.ocx
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72cf.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200125.ocx
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72d1.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200126.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72d3.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200127.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72d7.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200128.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e72d8.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200137.dll
[DETECTION] Is the TR/Vundo.NA Trojan
[NOTE] The file was moved to '4dcedfa1.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200138.dll
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '496e72da.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200139.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4dcedfa3.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200140.dll
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '496e72d9.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200141.dll
[DETECTION] Is the TR/Vundo.MZ Trojan
[NOTE] The file was moved to '4dcedfa2.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP797\A0200142.dll
[DETECTION] Is the TR/Vundo.NA Trojan
[NOTE] The file was moved to '496e72db.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP798\A0201148.dll
[DETECTION] Is the TR/Vundo.NA Trojan
[NOTE] The file was moved to '496e72de.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP798\A0201149.dll
[DETECTION] Is the TR/Vundo.MZ Trojan
[NOTE] The file was moved to '4dcedfa7.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP798\A0201164.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72df.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP798\A0201165.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcedf98.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP802\A0201933.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72f9.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP802\A0201934.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcedf82.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP802\A0201935.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72fa.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP803\A0202946.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72fb.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP803\A0202947.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcedf84.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP804\A0202959.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72fd.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP804\A0202970.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcedf86.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP804\A0202971.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72ff.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP804\A0202972.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72fe.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP804\A0202980.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcedf87.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP804\A0202981.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e72f0.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP805\A0203994.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede78.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204003.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '496e7301.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204004.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4dcede7a.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204015.dll
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '496e7303.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204022.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e7302.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204031.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede7b.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204032.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e7304.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204033.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede7c.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP806\A0204034.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e7305.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP807\A0204142.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '496e7308.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP807\A0205058.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e7309.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP807\A0205060.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede72.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP807\A0205064.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '496e730b.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP807\A0205065.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '496e730a.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP807\A0205066.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '4dcede73.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP808\A0205071.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede74.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP808\A0205075.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e730c.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP808\A0205083.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede75.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP808\A0205084.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e730e.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP808\A0205085.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '4dcede77.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP808\A0205086.dll
[DETECTION] Is the TR/Killav.28714 Trojan
[NOTE] The file was moved to '496e730d.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP809\A0205088.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '496e7300.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205126.dll
[DETECTION] Is the TR/Vundo.GBB Trojan
[NOTE] The file was moved to '496e730f.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205128.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '496e7310.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205129.dll
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '4dcede69.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205134.dll
[DETECTION] Is the TR/PSW.Magania.alwj Trojan
[NOTE] The file was moved to '496e7312.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205135.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '496e7311.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205136.dll
[DETECTION] Is the TR/Vundo.GBB Trojan
[NOTE] The file was moved to '4dcede6a.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205137.dll
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '496e7313.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205139.dll
[DETECTION] Is the TR/Vundo.NH Trojan
[NOTE] The file was moved to '4dcede6c.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205140.dll
[DETECTION] Is the TR/Vundo.GBB Trojan
[NOTE] The file was moved to '4dcede6b.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP810\A0205141.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '496e7314.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP815\A0206719.exe
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '496e732a.qua'!
C:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP815\A0206720.exe
[DETECTION] Contains recognition pattern of the WORM/Mytob.get worm
[NOTE] The file was moved to '4dcede53.qua'!
C:\WINDOWS\system32\dararudi.dll.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49ae7574.qua'!
C:\WINDOWS\system32\jalopeya.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49a8758a.qua'!
C:\WINDOWS\system32\jawegafa.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49b3758a.qua'!
C:\WINDOWS\system32\kawenola.dll.tmp
[DETECTION] Is the TR/Vundo.NF Trojan
[NOTE] The file was moved to '49b3758b.qua'!
C:\WINDOWS\system32\wopebulu.dll.tmp
[DETECTION] Is the TR/Crypt.FKM.Gen Trojan
[NOTE] The file was moved to '49ac75cb.qua'!
C:\WINDOWS\system32\wuniferi.dll.tmp
[DETECTION] Is the TR/Vundo.MY Trojan
[NOTE] The file was moved to '49aa75d3.qua'!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'
D:\Charles' Old Computer\CW Athlon Documents\Archives\Win DVD et al\WinDVD6\windvd6keygen.exe
[DETECTION] Is the TR/Tibs.28063 Trojan
[NOTE] The file was moved to '49aa7899.qua'!
D:\Charles' Old Computer\CW Athlon Documents\Archives\Win DVD et al\WinDVD6\WinDVDKeygen.zip
[0] Archive type: ZIP
--> windvd6keygen.exe
[DETECTION] Is the TR/Tibs.28063 Trojan
[NOTE] The file was moved to '49aa789a.qua'!
D:\MUSIC\Charles' Work Music\01 Track 1.wma
[DETECTION] Is the TR/Wimad.A.Gen Trojan
[NOTE] The file was moved to '495c7a9c.qua'!
D:\System Volume Information\_restore{3F9619DC-BC82-4CEF-943D-9A166FCA6697}\RP815\A0206721.exe
[DETECTION] Is the TR/Tibs.28063 Trojan
[NOTE] The file was moved to '496e7ac9.qua'!

End of the scan: Sunday, December 07, 2008 20:38
Used time: 2:22:58 Hour(s)

The scan has been done completely.

8561 Scanning directories
295462 Files were scanned
100 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
17 files were deleted
0 files were repaired
83 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
295359 Files not concerned
2793 Archives were scanned
3 Warnings
100 Notes

#13
emeraldnzl

Posted 08 December 2008 - 12:21 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hi shuh08,

I'm not too sure what is best to do?

Probably quarantining them is the best. Once they are quarantined they can't harm your computer but they can, if necessary, be restored.

A lot of those that Avira found were ones our tools had already quarantined or were in System Restore. It did well though and found others.

I was reading up on the GeekU page and I am very interested in trying to get an education from you guys, I would definitely want to give back to the community.

You might have already found the link below. It is a good place to start. The education here is demanding but probably the best you will get anywhere. You need to read the link and apply. If you are accepted you will be joining Geek Uninversity. Look forward to lots of reading and research. Hope to see you there.

http://www.geekstogo...ware-t4817.html

Now turning to your current problem

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

So when you come back please post
MBAM report
a new HijackThis log
and tell me how your computer is performing now

#14
shuh08

Posted 08 December 2008 - 08:18 PM

New Member

Topic Starter
Member
8 posts

Thank you again for your time and efforts it has been greatly appreciated. My computer is running very well now but I was wondering if you had any tips on ways to optimize the performance of my computer. I'm not sure if this can easily be answered based on the information given to you and if all you got is "buy a new computer", then such is life! i'd understand

anyway here are the logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 2

12/8/2008 9:12:55 PM
mbam-log-2008-12-08 (21-12-55).txt

Scan type: Quick Scan
Objects scanned: 54716
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:27 PM, on 12/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-606747145-507921405-725345543-500\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E7BADF-F3B9-420D-B82D-8D8CADEFE4F9} (CyImage2Ctl Class) - http://cyimg7.cyworl...mageUpload2.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quartz.atkins...orku.ca/qp2.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.aka...vex-2.2.4.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by125fd.bay12...es/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1228272956890
O16 - DPF: {92D0D610-A6FA-48D8-94CB-BD47FDF68655} (Launcher Class) - http://app.tubemusic...aver/naverx.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworl...e/skcbgmset.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CEAF43B1-E8C1-426D-A63C-92C71212E6E5} (PlayerCue Control) - http://touch.imbc.co...lineService.cab
O16 - DPF: {F4A1D5E2-AF49-47A7-A945-23038106F3A4} (Pandora_SetUp Control) - http://imgcdn.pandor...ora_SetUpAX.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

--
End of file - 10469 bytes

Edited by shuh08, 08 December 2008 - 08:19 PM.

#15
emeraldnzl

Posted 08 December 2008 - 09:48 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hi shuh08,

My computer is running very well now but I was wondering if you had any tips on ways to optimize the performance of my computer.

You could try the tech people on this site. They may have some ideas. If you do go, make sure you tell them that you have been here and got a clean bill of health from the malware point of view. You could also try Startuplite that I meantion below.

You might check out this site:

miekiemoes has a blog with some information about slow computing.

Just scroll down until you find it, might be helpful. Link below.

http://miekiemoes.bl...l/Slow computer

Now I think your machine is clean.

We have a couple of last steps to perform and then you're all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. The AFT Cleaner folder can be deleted although I would recomend you keep this too and run it every now and then to clean up your temp files and cache.

-------------------------------------------------------------------------------------------------------------------

A reminder now: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that you are clean here are some things I think are worth having a look at:

-------------------------------------------------------------------------------------------------------------------

A great way to check that your Microsoft and Java have the latest updates is to go to Software Inspector at Secunia.

I do this weekly. Not only do they tell you which programs need updating but they give you the link to follow.

To bolster your security go to Secunia.com to ensure essential programs are up to date.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".a
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Consider using an alternate browser. Mozilla's Firefox browser is excellant; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up blocker (Note: this as an added benefit!) that I have seen. Firefox is my default browser but I retain Internet Explorer as well so that I can access the very few sites that require it.

Firefox may be downloaded from Here

-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

------------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

Before you do though remember that running two or more real-time (some of these are not real-time) anti-virus, anti-spyware and firewall monitors at the same time can cause a conflict. That conflict can result in slow computer performance, error messages, crashes of the programs or other types of failure. You will very likely end up with little or no protection.

SUPERAntiSpyware Free for Home Users to detect and remove spyware.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If your Microsoft Update is not working automatically. Keep your operating system up to date by visiting
Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?

Have a safe and happy computing day!