Our November Competition
 User Reviews - Add Yours!
The PCHF Lounge
Go Back   PC Help Forum » Operating Systems » Windows XP/2000
Reload this Page Resolved: Need help eliminating malware
Register for a Free Account

Windows XP/2000 - Need help eliminating malware posted in the Operating Systems forums; I am having some problems with my HP Pavillion zd8000 laptop with windows XP. I am unable to download windows update. I tried changing the settings under services.msc but the ...


Reply
Recommended Driver Scanner
Page 1 of 2 1 2
Old 02-20-2009   #1
Bronze Member
 
Join Date: Feb 2009
Posts: 6
PC Experience: Some Experience
Default Need help eliminating malware
I am having some problems with my HP Pavillion zd8000 laptop with windows XP. I am unable to download windows update. I tried changing the settings under services.msc but the "Automatic Update " keeps changing back to Disabled. I downloadd Hijack this and this is the result:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Common Files\AOL\1161726997\ee\aolsoftware.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: {0ebb697e-55ea-792a-d694-775e6a86d611} - {116d68a6-e577-496d-a297-ae55e796bbe0} - C:\WINDOWS\system32\ikywfn.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\BellSouth Accelerator Technology\prpl_IePopupBlocker.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\yvR7wko0.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {d358210c-5af3-45e9-836c-476eaf1f909c} - C:\WINDOWS\system32\juhumuyo.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.lnk
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mitodipodo] Rundll32.exe "C:\WINDOWS\system32\pojavihu.dll",s
O4 - HKLM\..\Run: [0de4c41f] rundll32.exe "C:\WINDOWS\system32\wirubifa.dll",b
O4 - HKLM\..\Run: [CPM0ed7f783] Rundll32.exe "c:\windows\system32\jodozome.dll",a
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-19\..\Run: [mitodipodo] Rundll32.exe "C:\WINDOWS\system32\pojavihu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mitodipodo] Rundll32.exe "C:\WINDOWS\system32\pojavihu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavili on&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1140141571439
O16 - DPF: {81449547-EB5D-422E-8730-932DC5E412C8} (UVUPlayer Control) - http://www.howardstern.com/install/uvuplayer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wesofege.dll ikywfn.dll c:\windows\system32\jodozome.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jodozome.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\jodozome.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\PrTogram Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 14763 bytes

I would appreciate if someone can let me know which ones i should eliminate. Please let me know if you need me info. Thanks.
jagus61 is offline   Reply With Quote
Advertisement - Register to Remove
Old 02-21-2009   #2
Stoooooopid Girl.
 
Jelly Bean's Avatar
 
Join Date: Feb 2008
Location: Swansea
Posts: 12,727
PC Experience: None.
Default Re: Need help eliminating malware
Hello and welcome to PCHelpForum.

Thankyou for your results we have an excellent Security Team who will check them and help you.

They are a little busy at the moment but please do not worry they will be along to help.

JB.
__________________
Rwy'n ceisio fy ngorau.
Jelly Bean is offline   Reply With Quote
Old 02-21-2009   #3
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: Need help eliminating malware
This should fix it...

Please download Malwarebytes' Anti-Malware from one of these places:
|MG| Malwarebytes Anti-Malware 1.34
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.
If it will not run make a copy of the MBAM.exe and rename MBAM.exe to xxx.exe and run that.Keep the genuine MBAM.exe as we may need to run that later as is.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
PLEASE NOTE:
If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Once that Malwarebytes' Anti-Malware is done removing the malware and you have rebooted the computer, browse around and see if you are still having that problem.
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote
Old 02-21-2009   #4
Bronze Member
 
Join Date: Feb 2009
Posts: 6
PC Experience: Some Experience
Default Re: Need help eliminating malware
Thanks Pancake, here is the info you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:49 PM, on 2/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\Program Files\Common Files\AOL\1161726997\ee\aolsoftware.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
C:\Program Files\Logitech\Harmony Remote\EasyZapperManagerExe.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\BellSouth Accelerator Technology\prpl_IePopupBlocker.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.lnk
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-19\..\Run: [mitodipodo] Rundll32.exe "C:\WINDOWS\system32\pojavihu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mitodipodo] Rundll32.exe "C:\WINDOWS\system32\pojavihu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe (User 'Default user')
O4 - Global Startup: Harmony Monitor.lnk = C:\Program Files\Logitech\Harmony Remote\EasyZapperMonitor.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavili on&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140141571439
O16 - DPF: {81449547-EB5D-422E-8730-932DC5E412C8} (UVUPlayer Control) - http://www.howardstern.com/install/uvuplayer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - D:\CDS300\__CDS2.dll (file missing)
O20 - AppInit_DLLs: lgkshk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
--
End of file - 13839 bytes


Malwarebytes' Anti-Malware 1.34
Database version: 1789
Windows 5.1.2600 Service Pack 3
2/21/2009 6:27:10 PM
mbam-log-2009-02-21 (18-27-10).txt
Scan type: Quick Scan
Objects scanned: 86247
Time elapsed: 12 minute(s), 7 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 6
Registry Keys Infected: 21
Registry Values Infected: 6
Registry Data Items Infected: 6
Folders Infected: 8
Files Infected: 136
Memory Processes Infected:
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Unloaded process successfully.
Memory Modules Infected:
C:\WINDOWS\system32\soluwale.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\juhumuyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pojavihu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\tawagifi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wesofege.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lgkshk.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{9c8eab6a-47aa-40e2-9630-508a713e6219} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9c8eab6a-47aa-40e2-9630-508a713e6219} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{d358210c-5af3-45e9-836c-476eaf1f909c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d358210c-5af3-45e9-836c-476eaf1f909c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{d358210c-5af3-45e9-836c-476eaf1f909c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{9c8eab6a-47aa-40e2-9630-508a713e6219} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\0de4c41f (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\mitodipodo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm0ed7f783 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\registrysmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tawagifi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tawagifi.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wesofege.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wesofege.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wesofege.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Files: 359 -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\system32\lgkshk.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bogerijo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojiregob.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dirilipa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\apilirid.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dorigome.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emogirod.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lelasuba.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\abusalel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nafihuka.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akuhifan.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nedekaje.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejakeden.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ramokuvi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ivukomar.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\soluwale.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\elawulos.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vemofogu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ugofomev.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wegabalu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ulabagew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wejibeni.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inebijew.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\womaduzo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ozudamow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\worukehe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ehekurow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yolobohi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihoboloy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zijigegu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ugegijiz.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pojavihu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\tawagifi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\juhumuyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wesofege.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yvR7wko0.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\beyobusu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dagamami.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dojeseja.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fopijunu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gatotafi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gelaginu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hiyubigi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huzisopo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hxbdht.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ikywfn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kejimile.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kujonage.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kuweyohi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lafedidu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mesegahe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\neowby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nulohonu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ofoorb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pivejehu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rejemufa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sigilawo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\silulawo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tuhemoye.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ubyach.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uqolfx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vawakoto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wagitiru.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wezetugu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wezetugu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wubajiro.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qtcvim.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jobohuva.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jodozome.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\liwuwuto.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yemikome.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yihigiyo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\0EH6dU2v.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\gm5201e3.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\c076UDO4.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\q0xAqk84.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\6EVvn38P.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\IQ5i6827.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\B7JTF2Gc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\UG802534.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\tGdmwt15.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\36K53cgo.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\38EFvl7p.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\HWis5wjC.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\E8XxK56T.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\XPMBkrSA.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\qwyf3u0S.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\R3IR2wKb.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\22b5fs6E.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\gCH7DbvG.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\L7FUa8Qj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\Mirar_V75_876980_LOG_IESC_AFF_ATD_TI D_noMDNS_RPT_AVM_FLX.exe (Adware.Mirar) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\F83Q8vXK.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\F8pVkJ24.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\VHXhfaS5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\N7iiJlFc.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\C76ePaYg.exe (Trojan.Swizzor) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\A74Cg3iq.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\KBAh1abe.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\L3rKC35v.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\l52Ds1ID.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\0pS1KC0R.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\0UF2I1ka.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\52xSqmUt.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\53rP7C7n.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\HjDAB38r.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\6p085i14.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\6YDFGwG6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\7mY45B6c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\JnmRIiQJ.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Launcher.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\license.txt (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\RegistrySmart.url (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Scheduler.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\unins000.dat (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\unins000.exe (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart on the Web.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\RegistrySmart\Uninstall RegistrySmart.lnk (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log\log_2008_04_27_17_29_28.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log\log_2008_05_03_20_09_57.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Application Data\RegistrySmart\Log\log_2008_05_09_18_06_34.log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Errors.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Results.stg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Registry Backups\2007-03-10_17-17-11.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Registry Backups\2007-06-06_16-41-30.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Application Data\RegistrySmart\Registry Backups\2008-05-28_14-52-20.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0Sbskv54.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wtP1uim3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\bng9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\bngC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\bngD.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\bngE.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\bngF.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James Gustavson\Local Settings\Temp\bngA.tmp (Trojan.Agent) -> Quarantined and deleted successfully.






{0}







This message is too wide to fit your screen. Show full message

<IMG id=3rdPartyOmniture style="DISPLAY: none" height=1 alt="" width=1 name=http://msnportal.112.2o7.net/b/ss/msnportalhotmail/1/H.1-pdv-2/>
jagus61 is offline   Reply With Quote
Old 02-22-2009   #5
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: Need help eliminating malware
Thats quite an infection you had there.Better do one more check..

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.
Double-click on ComboFix.exe & follow the prompts.
If it will not run rename Combofix to xxx.exe and run that.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote
Old 02-22-2009   #6
Bronze Member
 
Join Date: Feb 2009
Posts: 6
PC Experience: Some Experience
Default Re: Need help eliminating malware
ok here it is

ComboFix 09-02-21.01 - James Gustavson 2009-02-22 15:40:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.599 [GMT -5:00]
Running from: c:\documents and settings\James Gustavson\My Documents\My Received Files\ComboFix.exe
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\mimic.log
c:\windows\IE4 Error Log.txt
c:\windows\system32\afiburiw.ini
c:\windows\system32\birizofu.dll
c:\windows\system32\gomujude.dll
c:\windows\system32\jopibata.dll
c:\windows\system32\jumayiya.dll.tmp
c:\windows\system32\jusivefa.dll
c:\windows\system32\nevibuni.dll
c:\windows\system32\puwohuwu.dll.tmp
c:\windows\system32\tuvumuge.dll
c:\windows\system32\veyopiho.dll.tmp
c:\windows\system32\vugivodi.dll
c:\windows\system32\yutepuwa.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-22 to 2009-02-22 )))))))))))))))))))))))))))))))
.
2009-02-21 18:12 . 2009-02-21 18:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-21 18:12 . 2009-02-21 18:12 <DIR> d-------- c:\documents and settings\James Gustavson\Application Data\Malwarebytes
2009-02-21 18:12 . 2009-02-21 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-21 18:12 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-21 18:12 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-21 17:23 . 2009-02-21 17:23 2,713 ---hs---- c:\windows\system32\fosajugu.dll
2009-02-21 05:23 . 2009-02-21 05:23 2,713 ---hs---- c:\windows\system32\luhokazo.dll
2009-02-19 19:12 . 2009-02-19 19:12 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-02-19 18:39 . 2009-02-19 18:39 2,713 ---hs---- c:\windows\system32\habodotu.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-22 01:10 41,474 ----a-w c:\windows\system32\wtP1uim3.exe
2009-02-19 23:40 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-22 00:22 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-22 00:22 --------- d-----w c:\program files\Java
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\SET124.tmp
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-01-04 02:10 1,755,136 --sha-w c:\program files\ehthumbs.db
2007-11-05 16:18 132 ----a-w c:\documents and settings\James Gustavson\Application Data\wklnhst.dat
2007-06-26 02:22 899,414 ----a-w c:\program files\SetupDVDDecrypter_3.5.4.0.exe
2006-07-15 19:50 251 ----a-w c:\program files\wt3d.ini
2005-07-17 19:45 7,769,912 -c--a-w c:\program files\DivXPlay.exe
2008-09-28 23:06 2,048 --sha-w c:\windows\system32\tuhuduta.dll
2008-06-15 09:35 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061520080 616\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-10-24 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2006-12-25 20480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-21 136600]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-22 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-10-22 229438]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2004-12-08 790528]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2008-04-16 100056]
"IPHSend"="c:\program files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 124520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"Propel Accelerator"="c:\program files\BellSouth Accelerator Technology\trayctl.exe" [2006-06-27 28672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"LXBRKsk"="c:\progra~1\LEXMAR~1\LXBRKsk.exe" [2003-06-13 294912]
"Lexmark 3100 Series"="c:\program files\Lexmark 3100 Series\lxbrbmgr.exe" [2003-07-28 106496]
"GoBoingo"="c:\program files\Boingo\GoBoingo\GoBoingo.lnk" [2009-02-22 2155]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\ Flash\FlashUtil9e.exe" [2007-11-20 218496]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Harmony Monitor.lnk - c:\program files\Logitech\Harmony Remote\EasyZapperMonitor.exe [2004-01-20 81920]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2006-12-25 450560]
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 18:10:04 238080]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= lgkshk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1161726997\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1161726997\\ee\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Online Services\\MSN90\\LaunchMsn.exe"=
"c:\\Program Files\\Online Services\\US_InstallAOL\\Dial-up\\InstallAol.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\usnsvc.exe"=
"c:\\WINDOWS\\system32\\wuauclt.exe"=
"c:\\WINDOWS\\system32\\wtP1uim3.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-03-27 24652]
S3 AVC3310F;AVC-3310/AVC-3610 USB Loader;c:\windows\system32\drivers\avcuwfl2.sys [2005-02-04 17536]
S3 AvcUWil2;Adaptec AVC-3210/3310/3610 USB Device;c:\windows\system32\drivers\avcuwil2.sys [2005-02-04 1433920]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-11-01 33752]
.
Contents of the 'Scheduled Tasks' folder
2009-02-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
2009-02-22 c:\windows\Tasks\At1.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At10.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At11.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At12.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At13.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At14.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At15.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At16.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At17.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At18.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-20 c:\windows\Tasks\At19.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At2.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At20.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At21.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At22.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At23.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At24.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At25.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At26.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At27.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At28.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At29.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At3.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At30.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At31.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At32.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At33.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At34.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At35.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At36.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At37.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At38.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At39.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At4.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At40.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At41.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At42.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-20 c:\windows\Tasks\At43.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-21 c:\windows\Tasks\At44.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At45.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At46.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At47.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At48.job
- c:\windows\system32\wtP1uim3.exe [2009-02-21 20:10]
2009-02-22 c:\windows\Tasks\At5.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-22 c:\windows\Tasks\At6.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At7.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At8.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\At9.job
- c:\windows\system32\0Sbskv54.exe [2008-10-19 19:44]
2009-02-21 c:\windows\Tasks\Norton AntiVirus - Scan my computer - James Gustavson.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-01-10 11:20]
2009-02-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://att.my.yahoo.com/
uInternet Settings,ProxyOverride = localhost;<local>
uInternet Settings,ProxyServer = http=localhost:8080
IE: Refresh Pa&ge with Full Quality - c:\program files\BellSouth Accelerator Technology\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\BellSouth Accelerator Technology\pac-image.html
LSP: c:\program files\BellSouth Accelerator Technology\prplsf.dll
Handler: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
DPF: {81449547-EB5D-422E-8730-932DC5E412C8} - hxxp://www.howardstern.com/install/uvuplayer.cab
.
************************************************** ************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-22 15:43:37
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????6?8?2?3??`???? ???B?????????????H<C? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2258498702-3265682384-1461423004-1005\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
- - - - - - - > 'lsass.exe'(816)
c:\program files\BellSouth Accelerator Technology\prplsf.dll
.
Completion time: 2009-02-22 15:45:26
ComboFix-quarantined-files.txt 2009-02-22 20:45:21
Pre-Run: 36,167,294,976 bytes free
Post-Run: 36,570,898,432 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windo ws XP Media Center Edition" /noexecute=optin /fastdetect
284 --- E O F --- 2009-02-21 23:58:44
jagus61 is offline   Reply With Quote
Old 02-22-2009   #7
Senior Security Analyst
 
Pancake's Avatar
 
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 6,867
PC Experience: Elite PC Guru
Default Re: Need help eliminating malware
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\fosajugu.dll
c:\windows\system32\luhokazo.dll
c:\windows\system32\habodotu.dll
c:\windows\system32\tuhuduta.dll
c:\windows\system32\0Sbskv54.exe
c:\windows\system32\wtP1uim3.exe
Registry::
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*
__________________
  • An Australian Member of
  • and
My real name is Eddy
Pancake is online now   Reply With Quote

Reply
Page 1 of 2 1 2


Bookmarks

Tags
eliminating, malware, question, Resolved, Resolved:
Similar discussions...
Thread Thread Starter Forum Replies Last Post
Malware drkyello [Pending] HJT Logs 9 04-03-2009 04:52 AM
[Resolved]Eliminating Drive "D" Uliz Windows XP/2000 5 06-15-2007 05:21 AM
new malware.j ryankayla13 [Fixed] Hijackthis! Logs 1 06-09-2007 03:52 AM

« can't install any OS on this sony vaio | Cannot re-install Windows XP! »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are On


Site Map - Top

All times are GMT. The time now is 04:55 AM.
Powered by vBulletin
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2