Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Network, good; Internet, bad
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Security Tool (followed by Rogue.Antivirus Plus) (In Progress)

Reply  
Thread Tools
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
13-Nov-2009, 11:02 AM #1
Security Tool (followed by Rogue.Antivirus Plus)
Ok a detailed description of the infection and the symptoms here goes

OS: Windows XP
Default Browser: IE 7

Wednesday Night:
I was browsing when my Norton Antivirus popped up a dialog stating that I had 2 threats. The hard drive was chugging hard and the 'Action Taken' in Norton just said 'Pending solution'.

When the hard drive quieted, the Security Tool Dialog popped up, my mbam.exe from malwarebytes had been deleted, and my desktop was displaying as a blank black screen. Google search results always redirected to searchclick8.com and Yahoo search was giving my a 999 security error (Yahoo security i believe). Random IE popups kept appearing with random Ads.

I used my laptop to search for solutions and with help, figured out how to get malwarebytes installed without having the exe deleted (rescuing it basically), and then booted up in safe mode and let malwarebytes do it's thing. I rebooted normally and the black desktop problem was gone along with the security tool app icon. However my antivirus still popped up every time i rebooted with a 'Downloader' trojan linked to cmd.exe. I kept quarantining it but it always popped up. At this point the only problem remaining was the searchclick8 google hijack. So I installed hijackthis and scanned while reading instructions on what is safe to delete and what is not via hijackthis.

I deleted the obvious bad entries but one kept coming back, sometimes within seconds... AppInit_DLLs: wuhomuro.dll

Needless to say the searchclick8 google thing was gone but now all my google searches popped up blank white screens, no results. And yahoo searches still came up 999 security error.

At this point I went to bed and didn't turn my computer back on until this morning...

Friday morning: As soon as I logged in, the antivirus popped up with 2 threats which it quarantined. Sjhortly after the security tool popped up again and my desktop went black again but this time a SECOND malware app appeared as well, Antivirus Plus (Rogue). My malwarebytes was not deleted this time so i ran it and removed the 19 threats and rebooted. This made all the Security Tool symptoms disappear (although as you can see, the 'AppInit_DLLs: wuhomuro.dll' is still in my hijackthis scan) but did not touch the antivirus Plus. I had to get to work at this point so I shut down and left.

So basically my problem is this, I can disarm security tool MOSTLY but it keeps coming back. And now I have this Antivirus Plus thing that is completely undetected by MalWareBytes. Oh and the SearchClick8 google hijack is back in full effect.

I desperately need your help TechGuys...

Hijack This Log (From Friday morning):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:22 AM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Malwarebytes' Anti-Malware\mbam.exe
E:\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.creative.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Antivirus Plus BHO - {C2B5AAB8-2183-4be7-81A6-F11493C45872} - C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201
O4 - HKUS\S-1-5-18\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AntiVirus Plus] "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\config\systemprofile\Application Data\AntiVirus Plus\AntiVirus Plus.70367201.dll", start 70367201 (User 'Default user')
O4 - S-1-5-18 Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AntiVirus Plus.lnk = C:\WINDOWS\system32\rundll32.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.8.110.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/soft...01/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/soft...5108/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2BA00FFA-4E7C-4359-A80A-91726228B78D}: NameServer = 77.74.48.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{2BA00FFA-4E7C-4359-A80A-91726228B78D}: NameServer = 77.74.48.113
O20 - AppInit_DLLs: wuhomuro.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe



Malware Bytes Log (From Friday morning when both Security Tool and Antivirus Plus popped up):

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
11/13/2009 7:45:47 AM
mbam-log-2009-11-13 (07-45-43).txt
Scan type: Quick Scan
Objects scanned: 100331
Time elapsed: 4 minute(s), 34 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 8
Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\28903628\28903628.exe (Rogue.Multiple.H) -> No action taken.
Memory Modules Infected:
c:\WINDOWS\system32\dirupahu.dll (Trojan.Vundo.H) -> No action taken.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{285f680c-0536-4437-8382-1038bf8a8562} (Trojan.Vundo.H) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bopuvofuj (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28903628 (Rogue.Multiple.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Share dTaskScheduler\{285f680c-0536-4437-8382-1038bf8a8562} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceOb jectDelayLoad\mivevubuf (Trojan.Vundo.H) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\dirupahu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\dirupahu.dll -> No action taken.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\28903628 (Rogue.Multiple.H) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\AntiVirus Plus (Rogue.AntiVirusPlus) -> No action taken.
Files Infected:
c:\WINDOWS\system32\dirupahu.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\All Users\Application Data\28903628\28903628.bat (Rogue.Multiple.H) -> No action taken.
C:\Documents and Settings\All Users\Application Data\28903628\28903628.exe (Rogue.Multiple.H) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\AntiVirus Plus\EULA.url (Rogue.AntiVirusPlus) -> No action taken.
C:\Documents and Settings\Owner\Desktop\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> No action taken.
Register for free to hide this ad!
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
14-Nov-2009, 01:44 PM #2
I jumped the gun a bit and based on your starting recommendations for most issues I ran OTS and saved the log. OTS got rid of both the Vundo and the Rogue Antivirus Plus AND (unlike the other stuff like ad-aware and spybot) kept it gone The one remaining issue is my google search.

The fake redirects to searchclick8 seem to be gone and now google just comes up with a blank window. Oh and Yahoo still returns a 999 security error when I try to search with it.

Can you help? I'll post the OTS log...

ComboFix 09-11-14.01 - Owner 11/13/2009 22:42..1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1434 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Desktop\AntiVirus Plus.lnk
c:\documents and settings\Owner\Desktop\Security Tool.lnk
c:\documents and settings\Owner\Start Menu\Programs\AntiVirus Plus
c:\documents and settings\Owner\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\documents and settings\Owner\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\documents and settings\Owner\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\config\systemprofile\Application Data\AntiVirus Plus\AnTIvirus plus.70367201.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\AntiVirus Plus
c:\windows\system32\config\systemprofile\Start Menu\Programs\AntiVirus Plus\AntiVirus Plus.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\AntiVirus Plus\EULA.url
c:\windows\system32\heyehupi.dll
c:\windows\system32\lomofasi.dll
c:\windows\system32\mafaguzu.dll
c:\windows\system32\nehozipa.dll
c:\windows\system32\nijufuvu.exe
c:\windows\system32\novusina.exe
c:\windows\system32\rakujotu.dll
c:\windows\system32\resevine.dll
c:\windows\system32\yawigeyo.dll
c:\windows\system32\yupabuse.dll
c:\windows\Tasks\kvelbigm.job
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.
2009-11-14 03:45 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-14 01:52 . 2009-11-14 03:47 46640 ----a-w- c:\windows\system32\msln.exe
2009-11-14 01:50 . 2009-11-14 01:50 -------- d-----w- c:\program files\NVT Malware Remover Tool
2009-11-14 00:56 . 2009-11-14 00:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-14 00:56 . 2009-11-14 03:38 136 ---ha-w- C:\aaw7boot.cmd
2009-11-14 00:50 . 2009-11-14 00:50 5908024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2009-11-14 00:50 . 2009-11-14 00:50 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-11-14 00:50 . 2009-11-14 00:50 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-11-14 00:50 . 2009-11-14 00:50 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-11-14 00:50 . 2009-11-14 00:50 640608 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2009-11-14 00:50 . 2009-11-14 00:50 815760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-11-14 00:50 . 2009-11-14 00:50 822904 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-11-14 00:50 . 2009-11-14 00:50 1638104 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-11-14 00:50 . 2009-11-14 00:50 788368 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-11-14 00:50 . 2009-11-14 00:50 1179232 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-11-14 00:49 . 2009-11-14 00:49 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-14 00:49 . 2009-10-03 08:15 2924848 -c--a-w- c:\documents and settings\All Users\Application Data\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-14 00:49 . 2009-11-14 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-14 00:49 . 2009-11-14 00:49 -------- d-----w- c:\program files\Lavasoft
2009-11-14 00:34 . 2009-11-14 00:34 39424 --sh--w- c:\windows\system32\biheseya.dll
2009-11-14 00:13 . 2009-11-14 01:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-14 00:13 . 2009-11-14 00:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-13 12:34 . 2009-11-13 12:34 1209915 --sh--w- c:\windows\system32\huhukuge.exe
2009-11-13 12:34 . 2009-11-13 12:34 39424 --sh--w- c:\windows\system32\vonowiya.dll
2009-11-12 02:01 . 2009-11-12 02:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-11-12 01:28 . 2009-11-12 01:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-12 01:28 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-12 01:28 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-12 00:59 . 2009-11-12 00:59 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-11-12 00:22 . 2009-11-12 00:22 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\streamsp60
2009-11-11 05:42 . 2009-11-11 05:42 -------- d-----w- c:\documents and settings\Owner\Application Data\Ahead
2009-11-11 05:30 . 2009-11-11 05:30 -------- d-----w- C:\My Music
2009-11-07 17:21 . 2009-11-07 17:21 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-07 17:21 . 2009-11-07 17:21 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-11-03 22:47 . 2009-11-03 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\BioWare
2009-11-03 22:23 . 2009-11-03 22:34 -------- d-----w- c:\program files\Dragon Age
2009-11-03 22:22 . 2009-11-03 22:42 -------- d-----w- c:\program files\Common Files\BioWare
2009-10-19 00:55 . 2009-10-20 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-19 00:54 . 2009-05-26 23:50 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2009-10-18 19:34 . 2009-10-18 19:34 -------- d-----w- c:\program files\MSECache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 03:49 . 2007-06-16 23:42 -------- d-----w- c:\program files\Symantec AntiVirus
2009-11-12 01:27 . 2009-05-30 14:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-07 17:21 . 2009-10-01 23:08 -------- d-----w- c:\program files\Java
2009-11-05 21:59 . 2007-06-11 20:54 23104 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-04 22:49 . 2009-06-15 01:11 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-03 22:20 . 2007-06-11 18:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-31 21:18 . 2009-07-23 22:01 -------- d-----w- c:\program files\Heroes of Newerth
2009-10-24 00:30 . 2009-07-06 12:16 -------- d-----w- c:\program files\Qnext
2009-10-19 00:55 . 2009-08-18 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-19 00:55 . 2009-08-18 03:53 -------- d-----w- c:\program files\Yahoo!
2009-10-18 21:05 . 2008-07-02 00:34 -------- d-----w- c:\program files\Steam
2009-10-18 21:05 . 2007-09-23 16:02 -------- d-----w- c:\program files\Windows Media Connect 2
2009-10-18 21:05 . 2008-04-17 01:15 -------- d-----w- c:\program files\DivX
2009-10-18 21:05 . 2007-06-11 18:38 -------- d-----w- c:\program files\AlienGUIse
2009-10-18 21:05 . 2008-10-09 03:44 -------- d-----w- c:\program files\AGEIA Technologies
2009-10-11 09:17 . 2009-10-01 23:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 23:11 . 2008-10-09 03:41 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-01 23:10 . 2009-10-01 23:10 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-01 23:10 . 2009-10-01 23:10 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-01 23:10 . 2009-10-01 23:10 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-01 23:10 . 2009-10-01 23:10 138240 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-10-01 23:10 . 2009-10-01 23:10 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-10-01 23:08 . 2009-10-01 23:08 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-09-27 15:58 . 2009-09-27 15:58 -------- d-----w- c:\program files\Support Tools
2009-09-23 12:55 . 2009-11-14 00:51 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-09-11 14:18 . 2004-08-04 07:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-04 07:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 14:49 . 2009-06-07 16:17 78003 ----a-w- c:\windows\War3Unin.dat
2009-09-04 03:32 . 2008-09-18 01:50 488968 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup\setup.exe
2009-08-29 07:36 . 2004-08-04 07:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-04 07:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-04 07:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-13 12:33 . 2009-08-13 12:33 31744 --sha-w- c:\windows\system32\fagometo.exe
2009-08-13 12:33 . 2009-08-13 12:33 45056 --sha-w- c:\windows\system32\fugedepi.dll
2009-08-14 00:40 . 2009-08-14 00:40 39424 --sha-w- c:\windows\system32\hinirole.dll
2009-08-14 00:34 . 2009-08-14 00:34 45056 --sha-w- c:\windows\system32\lowofoza.dll
2009-08-14 01:34 . 2009-08-14 01:34 39424 --sha-w- c:\windows\system32\selutanu.dll
2009-08-14 00:34 . 2009-08-14 00:34 60928 --sha-w- c:\windows\system32\sivotumo.dll
2009-08-14 00:40 . 2009-08-14 00:40 45056 --sha-w- c:\windows\system32\vuranune.dll
2009-08-14 01:34 . 2009-08-14 01:34 45056 --sha-w- c:\windows\system32\yopufuju.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-05-27 124656]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-11 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Malwarebytes Anti-Malware (reboot)"="e:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-29 805392]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 06:42 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoa dGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\the last remnant\\Binaries\\TLR.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"e:\\Warcraft III\\Warcraft III.exe"=
"e:\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Qnext\\qnext.exe"=
"c:\\Program Files\\Qnext\\qnextclient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Heroes of Newerth\\hon.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/13/2009 7:51 PM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 6:17 AM 1179232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/14/2008 7:27 PM 24652]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 12:21 AM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 12:21 AM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 12:21 AM 72728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/29/2009 7:24 AM 102448]
S0 ebcgl;ebcgl;c:\windows\system32\drivers\qmusoknf.sys --> c:\windows\system32\drivers\qmusoknf.sys [?]
S0 qqqlw;qqqlw;c:\windows\system32\drivers\jyofte.sys --> c:\windows\system32\drivers\jyofte.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [5/22/2009 11:30 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 12:21 AM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 12:21 AM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 12:21 AM 72728]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/3/2009 5:33 PM 25832]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [5/26/2006 8:01 PM 115952]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-11-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 00:50]
2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.altavista.com/
uInternet Connection Wizard,ShellNext = hxxp://www.creative.com/
uInternet Settings,ProxyOverride = *.local
TCP: {2BA00FFA-4E7C-4359-A80A-91726228B78D} = 77.74.48.113
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\in5phoy2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -
BHO-{737e2787-6c4b-474c-b9f8-0aad7b32680a} - rakujotu.dll
HKLM-Run-bopuvofuj - c:\windows\system32\yawigeyo.dll
HKLM-Run-bikunobopi - lomofasi.dll
SharedTaskScheduler-{ecf8b13f-aae2-4d09-a8fe-4532aaebdfb6} - c:\windows\system32\yawigeyo.dll
SSODL-lakamanes-{ecf8b13f-aae2-4d09-a8fe-4532aaebdfb6} - c:\windows\system32\yawigeyo.dll
Notify-ckpNotify - (no file)

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 22:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A8D91F8]<<
kernel: MBR read successfully
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1659004503-329068152-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a7,27,29,e1,5d,6d,4d,13,b5,22,82,73,5c,f2,ff,37,e8,e5,1c,ee,22,d6, 62,
33,a6,87,3c,c2,0b,a7,2d,85,98,53,33,20,1e,f7,0c,b0,e7,12,36,11,fe,f8,eb,6f, \
"??"=hex:8f,fb,4d,07,79,2d,29,62,e0,da,bd,0b,ed,d4,a9,f7
[HKEY_USERS\S-1-5-21-1659004503-329068152-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:2e,44,2f,ad,07,aa,47,b2,30,8f,87,02,61,14,22,53,71,2e,54,12, 00,
c9,e9,78,00,b7,6c,58,a5,7c,be,95,13,cf,82,16,35,7f,9d,ec,73,b9,c5,71,90,3d, \
"rkeysecu"=hex:82,c3,15,4f,bb,1d,3b,7f,84,f5,53,93,76,d6,d1,ff
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{107E6D21-54ED-32EA-89EBEFDD29F12B2C}\{B975045C-7EA8-ADE1-408732B9E3F99960}\{A296A331-83C2-2419-70104A7C6B45B24D}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58 ,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{20182402-24ED-DBEE-0C047CC941A92C12}\{18337038-91FA-1511-718667CAE01F35A0}\{7E9CBDE1-C583-B4C7-27A5326796C918BF}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,3c,04,c0,
f2,a2,ec,91,54,6f,3e,87,2d,18,0b,3c,14,59,11,31,82,d5,4c,c8,38,18,39,7c,b4, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{286D4131-3821-6CBF-08770360589374C2}\{48BEB065-0DEC-1314-6E019AD5B66531AE}\{E2D4EA90-E228-BF00-D20DE2AD05099BA2}*]
"G2ODBCSUISDKL2GJMZO1MJ5AUG1"=hex:01,00,01,00,00,00,00,00,9d,07,c2,9d,25,58 ,3c,
a7,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2E59814C-B3DE-44FB-94965C0366D98DF0}\{ABEB2D87-DFA0-F53D-992658CC296F0BC9}\{4501FB50-D3D7-43DD-41A9BB47FD107040}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51 ,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{399560AD-16A1-1C42-B8ABCDA82BB95BD1}\{612A140D-0F00-4178-3873E27B58551793}\{AE627BFA-B567-4F9A-57DD34442A0D5150}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71 ,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{42E6D7B2-B1C8-2837-2B153136718EFEB8}\{8E0BC5B0-8FBD-4DC6-72B4724501FBC409}\{8BABC9F6-A6DF-6175-8337ACE301A74A27}*]
"{3EE4C831-B7E0-4ed1-B9FC-EDC523C9612F}1"=hex:01,00,01,00,0c,00,00,00,3c,04,c0,
f2,a2,ec,91,54,6f,3e,87,2d,18,0b,3c,14,59,11,31,82,d5,4c,c8,38,18,39,7c,b4, \
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{44DDD7DB-C851-F5D8-43BBD1CB976AABCC}\{47326943-CE6C-E3D1-74FCCAE0772B4FAB}\{FA8F0E33-B888-6EFF-6240990870DDF055}*]
"L5OTYL4OSK54QTZWOGJWMONWTG1"=hex:01,00,01,00,00,00,00,00,4f,1a,34,b6,a9,51 ,c3,
92,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AD7DA6D0-C8A5-2AB7-AFAFBAF6CCA2EFA4}\{BFF22B84-84BD-C376-CF902D4CFF2D2B8A}\{C30500AE-8022-F8A1-791309212C4775E7}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92 ,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B7C188CC-C656-22D1-E21234AD513F53A3}\{781F7726-F470-BDBE-E3632254F9ABE08C}\{D5A0EB3A-C033-B7E9-DCA15AB75FD5AB8C}*]
"AXBBEZDR5GG1RHH1SV4GCUI36H1"=hex:01,00,01,00,00,00,00,00,ea,70,b2,10,82,71 ,5d,
44,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C19175F0-6343-C058-D551EA9B69721CA5}\{44B8D0A6-F0B8-27D0-3AB262946B96BF2A}\{D0951FF3-5F85-5129-204F105C4943049E}*]
"QR1ILJL5ACMYH2P3FXOAHPVAQE1"=hex:01,00,01,00,00,00,00,00,e3,c2,76,29,f1,92 ,b8,
65,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(700)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
c:\program files\AlienGUIse\fastload.dll
- - - - - - - > 'explorer.exe'(1960)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2009-11-13 22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-14 03:52
Pre-Run: 35,684,835,328 bytes free
Post-Run: 35,908,509,696 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - 718540D9FA06AA8A39A665CCAAFA3783
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
15-Nov-2009, 07:32 PM #3
bump
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
16-Nov-2009, 04:20 PM #4
Bump

PS: I really need help on this one guys, I need my google search abilities restored badly.
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
17-Nov-2009, 09:41 AM #5
Bump

Still need help with the google hijack (searchclick8)
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
17-Nov-2009, 02:05 PM #6
Hi, Welcome to TSG!

If you still need help post a new hijackthis log.
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
17-Nov-2009, 08:23 PM #7
Hi Cybertech, it really is a pleasure to hear from you

Most of the issue was resolved but the remaining issue is the google search hijack (searchclick8) and the yahoo search 999 security error. Your help would be hugely appreciated.

Here is a fresh HJT log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:13 PM, on 11/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
E:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.creative.com/
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "E:\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab3.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.8.110.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://ccfiles.creative.com/Web/soft...01/CTSUEng.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/soft...5108/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - C:\Program Files\Dragon Age\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
--
End of file - 8625 bytes
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
18-Nov-2009, 05:19 PM #8
Please delete your current version of ComboFix. Download it again and post the results after running a new scan.
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
18-Nov-2009, 11:10 PM #9
Hmm it went through the 50 or so stages, deleted 3 dlls from the system folder, deleted an antivirus plus folder, and then bluescreened briefly while attempting to reboot. It then rebooted on it's own but when it came up did not continue like it usually does, and no log was saved.
CaseyFletcher's Avatar
Computer Specs
Junior Member with 8 posts.
  
Join Date: Nov 2009
Experience: Intermediate
18-Nov-2009, 11:10 PM #10
Should I try a gain Cybertech?

(I had closed spybot and ad-aware, and disabled my antivirus before running the combofix.exe btw)
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
19-Nov-2009, 08:23 PM #11
Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
  1. Close any open browsers.
  2. If your Real protection or Antivirus intervenes with OTS, allow it to run.
  3. Open the OTS folder and double-click on OTS.exe to start the program.
  4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
  5. Now click the Run Scan button on the toolbar.
  6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  7. When the scan is complete Notepad will open with the report file loaded in it.
  8. Save that notepad file
Use the Reply button, scroll down to the attachments section and attach the notepad file here.

NOTE: The only people who can see attachments in the HJT forum are: the thread starter, Admins & Mods, and HJT Helpers & Trainees.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:25 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.