There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post software will not update
Go to first new post Something is very wrong with pc it takes ...
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post security sheild
Go to first new post We Got System Checked :-(
Go to first new post Trojan infection preventing boot (scvhos ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Extremely slow computer
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Google can't be found
Go to first new post Somethings Amiss....
Go to first new post need help regarding malware/spyware
Go to first new post Webpage Redirect Rootkit infection?
Tag Cloud
access acer asus batch bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop lcd malware memory modem monitor motherboard network printer problem ram registry router slow software sound toshiba trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless xbox
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: It's Back :(

Reply  
Thread Tools
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
01-Jan-2009, 10:19 PM #1
It's Back :(



Well, we were in good shape until today. I have no idea what happened, but we do have multiple users on the computer. My kids and I have had no problems since the awesome help from JSntgRvr, but alas, the popups are back. It started just 1 hour ago to my husband, completely froze his user.

I have deleted his user, and would have no problem deleting the kids as well if necessary. They do not have administrator priveledges.

Here is the new HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:52 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wentxp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Auslogics\AusLogics Disk Defrag\diskdefrag.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [f8f44fca] rundll32.exe "C:\WINDOWS\system32\cqlbkseq.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Web Snapshot - {954A224B-F501-4911-A8BF-6709A048FD77} - C:\Program Files\Gadwin Systems\WebSnapshot\WebSnapshot.dll (HKCU)
O9 - Extra 'Tools' menuitem: Web Snapshot - {954A224B-F501-4911-A8BF-6709A048FD77} - C:\Program Files\Gadwin Systems\WebSnapshot\WebSnapshot.dll (HKCU)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131719764015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138619361078
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://70.164.207.154:60008/bl_camera.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/j...ws-i586-jc.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/...loadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - AppInit_DLLs: xuxycd.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
--
End of file - 8850 bytes
Register for free to hide this ad!
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
01-Jan-2009, 11:22 PM #2
Hi, holkob01

Welcome back.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  6. Install the Recovery Console upon request.
  7. When finished, it will produce a report for you.
  8. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
02-Jan-2009, 12:45 PM #3
MBAM Log
Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 5.1.2600 Service Pack 3
1/2/2009 10:23:15 AM
mbam-log-2009-01-02 (10-23-15).txt
Scan type: Quick Scan
Objects scanned: 70694
Time elapsed: 4 minute(s), 17 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\cqlbkseq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xxyvwvsr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\xuxycd.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{5865447d-01f7-4928-89fd-a08066dc4b4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{5865447d-01f7-4928-89fd-a08066dc4b4b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5865 447d-01f7-4928-89fd-a08066dc4b4b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d79 4cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prun net (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f8f44fca (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell ExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyvwvsr -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\xxyvwvsr -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\xxyvwvsr.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rsvwvyxx.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rsvwvyxx.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cqlbkseq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qeskblqc.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xuxycd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Local Settings\temp\seneka6a03.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekampsbpjye.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekavpppyhxe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekajmhcdatj.sys (Trojan.Agent) -> Delete on reboot.
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
02-Jan-2009, 01:12 PM #4
ComboFix Log
ComboFix 09-01-01.02 - BridgetIrene 2009-01-02 10:57:24.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1618 [GMT -6:00]
Running from: c:\documents and settings\BridgetIrene\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090102-0] *On-access scanning disabled* (Updated)
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\seneka.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2009-01-02 10:12 . 2009-01-02 10:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 10:12 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 10:12 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 01:46 . 2009-01-02 01:46 33,832 --a------ c:\windows\system32\yptmjuyf.exe
2008-12-31 10:53 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-12-31 10:52 . 2008-12-31 10:52 <DIR> d-------- C:\NVIDIA
2008-12-31 10:10 . 2008-12-31 10:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-31 10:09 . 2008-12-31 10:09 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-31 10:08 . 2007-11-06 20:10 271,704 -ra------ c:\windows\system32\hpzids01.dll
2008-12-31 10:08 . 2007-01-17 10:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-12-31 10:08 . 2007-01-17 10:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-12-31 10:07 . 2007-10-31 04:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll
2008-12-31 10:07 . 2007-10-31 04:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll
2008-12-31 10:07 . 2007-01-17 10:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-12-31 10:07 . 2007-01-17 10:37 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-12-31 10:07 . 2007-01-17 10:31 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-12-31 09:59 . 2008-12-31 10:11 176,592 --a------ c:\windows\hpwins19.dat
2008-12-31 09:59 . 2008-01-07 08:08 997 -ra------ c:\windows\hpwmdl19.dat
2008-12-30 19:58 . 2008-12-30 20:04 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-23 15:14 . 2008-12-23 15:14 <DIR> d-------- c:\program files\Auslogics
2008-12-23 15:14 . 2008-12-23 15:14 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\Auslogics
2008-12-23 13:17 . 2008-12-23 13:17 <DIR> d-------- c:\program files\CCleaner
2008-12-23 12:14 . 2008-12-23 12:14 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\VSRevoGroup
2008-12-23 12:11 . 2008-12-23 12:11 <DIR> d-------- c:\program files\VS Revo Group
2008-12-23 10:40 . 2008-12-23 10:40 <DIR> d-------- c:\program files\CleanUp!
2008-12-21 23:47 . 2008-12-21 23:47 <DIR> d-------- c:\program files\Alwil Software
2008-12-21 23:24 . 2008-12-21 23:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-21 13:03 . 2008-12-21 13:03 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 13:03 . 2008-12-21 13:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-18 23:04 . 2008-12-18 23:04 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\Malwarebytes
2008-12-18 23:04 . 2008-12-18 23:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-15 22:06 . 2008-12-15 22:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 11:20 . 2008-12-05 11:37 27,769 --a------ C:\tif2pdf.jpg.0
2008-12-05 11:19 . 2008-12-05 11:36 489 --a------ c:\windows\Image2PDF.INI
2008-12-05 11:19 . 2008-12-05 11:36 56 --ah----- C:\image2pdf.ini
2008-12-05 11:18 . 2008-12-05 11:37 <DIR> d-------- c:\program files\VeryPDF Image2PDF v3.2
2008-12-05 11:18 . 2008-12-05 11:35 1,024 --a------ c:\windows\system32\Image2PDF.dat
2008-12-03 16:30 . 2008-12-03 16:30 527,254 --a------ c:\windows\FontData.fdb
2008-12-03 15:50 . 2008-12-03 16:25 2,516 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-03 15:50 . 2008-12-03 16:24 88 -r-hs---- c:\documents and settings\All Users\Application Data\2C41BFC2EC.sys
2008-12-03 15:40 . 2008-12-03 15:40 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 16:11 --------- d-----w c:\program files\HP
2008-12-31 16:10 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-31 02:38 --------- d-----w c:\program files\Common Files\HP
2008-12-21 19:03 --------- d-----w c:\program files\Java
2008-12-21 18:59 --------- d-----w c:\program files\Google
2008-12-21 18:50 --------- d-----w c:\program files\Common Files\Corel
2008-12-21 18:49 --------- d-----w c:\program files\Corel
2008-12-21 18:49 --------- d-----w c:\documents and settings\BridgetIrene\Application Data\Corel
2008-12-21 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2008-12-21 18:35 --------- d-----w c:\program files\Three Rings Design
2008-12-21 18:32 --------- d-----w c:\program files\LD Supreme
2008-12-19 05:36 --------- d-----w c:\documents and settings\BridgetIrene\Application Data\Twain
2008-12-15 18:41 --------- d-----w c:\program files\LucasArts
2008-12-15 18:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 18:24 --------- d-----w c:\program files\Steam
2008-12-15 18:24 --------- d-----w c:\program files\Common Files\Ahead
2008-12-15 18:24 --------- d-----w c:\program files\Ahead
2008-12-15 18:07 --------- d-----w c:\program files\Microsoft Games
2008-12-15 17:30 --------- d-----w c:\program files\GameSpy Arcade
2008-12-15 17:29 --------- d-----w c:\program files\DivX
2008-11-30 20:02 11,690 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-11-30 19:17 --------- d-----w c:\documents and settings\BridgetIrene\Application Data\Yahoo!
2008-11-30 03:15 --------- d-----w c:\documents and settings\KIDS\Application Data\Yahoo!
2008-11-30 03:15 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-11-30 03:12 --------- d-----w c:\program files\Yahoo!
2008-11-24 02:09 --------- d-----w c:\program files\Viewpoint
2008-11-24 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 16:07 453,152 -c--a-w c:\windows\system32\NVUNINST.EXE
2008-07-13 16:39 32 -c--a-r c:\documents and settings\All Users\hash.dat
2008-09-02 12:08 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Common Files\\Ulead Systems\\AutoDetector\\Monitor.exe"=
"c:\\Program Files\\PureEdge\\Viewer 6.5\\masqform.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-21 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-21 20560]
R2 WENCRNT4;WENCRNT4;\??\c:\windows\system32\Drivers\WENCRNT4.SYS [2007-04-27 114944]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{905471f2-0c16-11dd-b6bc-0011d81a971d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{d72454df-aeb9-11dc-b693-0011d81a971d}]
\Shell\Auto\command - J:\auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe
.
Contents of the 'Scheduled Tasks' folder
2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
2009-01-02 c:\windows\Tasks\nojqluaz.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -
Notify-hgGVpoLb - hgGVpoLb.dll

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 10:59:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-02 11:01:04
ComboFix-quarantined-files.txt 2009-01-02 17:00:25
ComboFix2.txt 2008-12-23 00:22:37
Pre-Run: 203,841,458,176 bytes free
Post-Run: 203,827,019,776 bytes free
211 --- E O F --- 2009-01-01 20:29:43
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
02-Jan-2009, 01:16 PM #5
NEW HJT logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:52 AM, on 1/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Web Snapshot - {954A224B-F501-4911-A8BF-6709A048FD77} - C:\Program Files\Gadwin Systems\WebSnapshot\WebSnapshot.dll (HKCU)
O9 - Extra 'Tools' menuitem: Web Snapshot - {954A224B-F501-4911-A8BF-6709A048FD77} - C:\Program Files\Gadwin Systems\WebSnapshot\WebSnapshot.dll (HKCU)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/...nlineGames.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1131719764015
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1138619361078
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://70.164.207.154:60008/bl_camera.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/j...ws-i586-jc.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/...loadClient.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: WinEncrypt service (wencrservice) - WinEncrypt - C:\WINDOWS\SYSTEM32\wentxp.exe
--
End of file - 8973 bytes
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
02-Jan-2009, 05:40 PM #6
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code:
File::
c:\windows\system32\yptmjuyf.exe
c:\windows\Tasks\nojqluaz.job

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]


Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
02-Jan-2009, 06:56 PM #7
New ComboFix Log
ComboFix 09-01-01.02 - BridgetIrene 2009-01-02 16:43:19.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1525 [GMT -6:00]
Running from: c:\documents and settings\BridgetIrene\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\BridgetIrene\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090102-0] *On-access scanning disabled* (Updated)
* Created a new restore point
FILE ::
c:\windows\system32\yptmjuyf.exe
c:\windows\Tasks\nojqluaz.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\yptmjuyf.exe
c:\windows\Tasks\nojqluaz.job
.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.
2009-01-02 10:12 . 2009-01-02 10:22 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 10:12 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-02 10:12 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-31 10:53 . 2008-10-07 13:33 201,157 --a------ c:\windows\system32\nvapps.nvb
2008-12-31 10:52 . 2008-12-31 10:52 <DIR> d-------- C:\NVIDIA
2008-12-31 10:10 . 2008-12-31 10:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant
2008-12-31 10:09 . 2008-12-31 10:09 <DIR> d-------- c:\program files\Hewlett-Packard
2008-12-31 10:08 . 2007-11-06 20:10 271,704 -ra------ c:\windows\system32\hpzids01.dll
2008-12-31 10:08 . 2007-01-17 10:37 49,920 -ra------ c:\windows\system32\drivers\HPZid412.sys
2008-12-31 10:08 . 2007-01-17 10:37 16,496 -ra------ c:\windows\system32\drivers\HPZipr12.sys
2008-12-31 10:07 . 2007-10-31 04:35 729,088 -ra------ c:\windows\system32\hpwwiax4.dll
2008-12-31 10:07 . 2007-10-31 04:35 593,920 -ra------ c:\windows\system32\hpwtscl3.dll
2008-12-31 10:07 . 2007-01-17 10:37 364,544 -ra------ c:\windows\system32\hppldcoi.dll
2008-12-31 10:07 . 2007-01-17 10:37 309,760 -ra------ c:\windows\system32\difxapi.dll
2008-12-31 10:07 . 2007-01-17 10:31 294,912 -ra------ c:\windows\system32\hpovst11.dll
2008-12-31 09:59 . 2008-12-31 10:11 176,592 --a------ c:\windows\hpwins19.dat
2008-12-31 09:59 . 2008-01-07 08:08 997 -ra------ c:\windows\hpwmdl19.dat
2008-12-30 19:58 . 2008-12-30 20:04 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-23 15:14 . 2008-12-23 15:14 <DIR> d-------- c:\program files\Auslogics
2008-12-23 15:14 . 2008-12-23 15:14 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\Auslogics
2008-12-23 13:17 . 2008-12-23 13:17 <DIR> d-------- c:\program files\CCleaner
2008-12-23 12:14 . 2008-12-23 12:14 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\VSRevoGroup
2008-12-23 12:11 . 2008-12-23 12:11 <DIR> d-------- c:\program files\VS Revo Group
2008-12-23 10:40 . 2008-12-23 10:40 <DIR> d-------- c:\program files\CleanUp!
2008-12-21 23:47 . 2008-12-21 23:47 <DIR> d-------- c:\program files\Alwil Software
2008-12-21 23:24 . 2008-12-21 23:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2008-12-21 13:03 . 2008-12-21 13:03 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 13:03 . 2008-12-21 13:03 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-18 23:04 . 2008-12-18 23:04 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\Malwarebytes
2008-12-18 23:04 . 2008-12-18 23:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-15 22:06 . 2008-12-15 22:06 <DIR> d-------- c:\program files\Trend Micro
2008-12-05 11:20 . 2008-12-05 11:37 27,769 --a------ C:\tif2pdf.jpg.0
2008-12-05 11:19 . 2008-12-05 11:36 489 --a------ c:\windows\Image2PDF.INI
2008-12-05 11:19 . 2008-12-05 11:36 56 --ah----- C:\image2pdf.ini
2008-12-05 11:18 . 2008-12-05 11:37 <DIR> d-------- c:\program files\VeryPDF Image2PDF v3.2
2008-12-05 11:18 . 2008-12-05 11:35 1,024 --a------ c:\windows\system32\Image2PDF.dat
2008-12-03 16:30 . 2008-12-03 16:30 527,254 --a------ c:\windows\FontData.fdb
2008-12-03 15:50 . 2008-12-03 16:25 2,516 --ahs---- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-03 15:50 . 2008-12-03 16:24 88 -r-hs---- c:\documents and settings\All Users\Application Data\2C41BFC2EC.sys
2008-12-03 15:40 . 2008-12-03 15:40 <DIR> d-------- c:\documents and settings\BridgetIrene\Application Data\InstallShield
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-31 16:11 --------- d-----w c:\program files\HP
2008-12-31 16:10 --------- d-----w c:\documents and settings\All Users\Application Data\HP
2008-12-31 02:38 --------- d-----w c:\program files\Common Files\HP
2008-12-21 19:03 --------- d-----w c:\program files\Java
2008-12-21 18:59 --------- d-----w c:\program files\Google
2008-12-21 18:50 --------- d-----w c:\program files\Common Files\Corel
2008-12-21 18:49 --------- d-----w c:\program files\Corel
2008-12-21 18:49 --------- d-----w c:\documents and settings\BridgetIrene\Application Data\Corel
2008-12-21 18:47 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2008-12-21 18:35 --------- d-----w c:\program files\Three Rings Design
2008-12-21 18:32 --------- d-----w c:\program files\LD Supreme
2008-12-19 05:36 --------- d-----w c:\documents and settings\BridgetIrene\Application Data\Twain
2008-12-15 18:41 --------- d-----w c:\program files\LucasArts
2008-12-15 18:27 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-15 18:24 --------- d-----w c:\program files\Steam
2008-12-15 18:24 --------- d-----w c:\program files\Common Files\Ahead
2008-12-15 18:24 --------- d-----w c:\program files\Ahead
2008-12-15 18:07 --------- d-----w c:\program files\Microsoft Games
2008-12-15 17:30 --------- d-----w c:\program files\GameSpy Arcade
2008-12-15 17:29 --------- d-----w c:\program files\DivX
2008-11-30 20:02 11,690 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-11-30 19:17 --------- d-----w c:\documents and settings\BridgetIrene\Application Data\Yahoo!
2008-11-30 03:15 --------- d-----w c:\documents and settings\KIDS\Application Data\Yahoo!
2008-11-30 03:15 --------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard
2008-11-30 03:12 --------- d-----w c:\program files\Yahoo!
2008-11-24 02:09 --------- d-----w c:\program files\Viewpoint
2008-11-24 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-02 16:07 453,152 -c--a-w c:\windows\system32\NVUNINST.EXE
2008-07-13 16:39 32 -c--a-r c:\documents and settings\All Users\hash.dat
2008-09-02 12:08 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090220080903\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 c:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mshta.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=
"c:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"=
"c:\\Program Files\\Windows Defender\\MSASCui.exe"=
"c:\\Program Files\\Adobe\\Reader 8.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Common Files\\Ulead Systems\\AutoDetector\\Monitor.exe"=
"c:\\Program Files\\PureEdge\\Viewer 6.5\\masqform.exe"=
"c:\\WINDOWS\\ALCMTR.EXE"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-21 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-21 20560]
R2 WENCRNT4;WENCRNT4;\??\c:\windows\system32\Drivers\WENCRNT4.SYS [2007-04-27 114944]
R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{905471f2-0c16-11dd-b6bc-0011d81a971d}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{d72454df-aeb9-11dc-b693-0011d81a971d}]
\Shell\Auto\command - J:\auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe
\Shell\explore\Command - J:\RavMon.exe -e
\Shell\open\Command - J:\RavMon.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-12-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2009-01-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: *.antimalwareguard.com
Trusted Zone: *.gomyhit.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 16:44:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2009-01-02 16:45:56
ComboFix-quarantined-files.txt 2009-01-02 22:45:19
ComboFix2.txt 2009-01-02 17:01:06
ComboFix3.txt 2008-12-23 00:22:37
Pre-Run: 203,752,456,192 bytes free
Post-Run: 203,793,285,120 bytes free
208 --- E O F --- 2009-01-01 20:29:43
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
02-Jan-2009, 09:12 PM #8
Run Kaspersky and let me know how is it doing?
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
02-Jan-2009, 09:22 PM #9
Kaspersky didn't find anything, I messed up saving the report so I am re running it.

Can you tell if this was a new infection, or residual from the last one?

I am going to start running spybot daily, as well as the other programs you reccomended.

I'll post the txt from Kaspersky when it is done running again.

Thanks again for all of your help
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
02-Jan-2009, 09:28 PM #10
New infection. Trojan Vundo for most part. You need to observe better paractices while on the Internet. Anything you downloaded lately?
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
03-Jan-2009, 01:09 PM #11
I have multiple user accts on the computer. I believe it was my husband, he tried to download a game on Ebaums world. We deleted his user, because at first it seemed like he was the only one affected. Now there is my user and the kids.

We have NEVER had a virus before the one at the beginning of the month, so 2 in a row is crazy.


Kaspersky Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 3, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 02, 2009 20:00:23
Records in database: 1549785
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan statistics:
Files scanned: 88700
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:04:24
No malware has been detected. The scan area is clean.
The selected area was scanned.
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,279 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
03-Jan-2009, 04:32 PM #12
All looks clear now. How is the computer doing?
holkob01's Avatar
Member with 41 posts.
  
Join Date: Dec 2008
03-Jan-2009, 06:19 PM #13
Seems to be fine.

Thanks again for all of your help. I'm going to download the tools you suggested last time and hopefully I won't be back to this section ever again
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 09:03 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.