1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojans: Vundo, BHO, Agent, Vundo.H HTLog Included! new thread

Discussion in 'Virus & Other Malware Removal' started by taponay, May 3, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. taponay

    taponay Thread Starter

    Joined:
    Apr 28, 2009
    Messages:
    6
    Hello.

    I have started a new thread as my problems have changed. My previous thread was called "Bad Image Messages & Spybot Change Requests" of which I did not receive any response.

    Problems: I was running anti-virus software Ad-Aware, Spybot, Malwarebytes, and F-Secure. I was continuously having Spybot popup and ask about registry changes which seemed suspicious. I uninstalled Ad-Aware and Spybot and am now only running Malwarebytes and F-Secure. I am working with Windows XP professional operating system.

    I have run malwarebytes many times to remove trojans and after it finishes its scan, it will detect between 12-18 trojans. After using the program to remove them and restart the computer, an additional scan reveils they are still there. Additionally, after "removing" the trojans with Malwarebytes, my F-Secure pops up saying there is a "FakeAlert" and asks to quarentine it.

    My main complains are popups (in both firefox and internet explorer) and the computer is running VERY slow. The bad image messages at startup have only reappeared once.

    Trojans: (found by Malwarebytes) Vundo, Agent, BHO, Vundo.H

    HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:21:03 PM, on 5/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\system32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\WFXSVC.EXE
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\WINDOWS\system32\CCM\CcmExec.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\TpScrLk.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Print Manager Plus - Client\CheckPages.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The RETEC Group, Inc.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {17d7c9e6-abd4-4d00-9c7d-2a9094eaf44d} - C:\WINDOWS\system32\vavanoho.dll (file missing)
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [dabujidefe] Rundll32.exe "C:\WINDOWS\system32\gekininu.dll",s
    O4 - HKLM\..\Run: [CPMa3d77fda] Rundll32.exe "c:\windows\system32\devuwuku.dll",a
    O4 - HKLM\..\Run: [a0e44c46] rundll32.exe "C:\WINDOWS\system32\levewani.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Print Manager Plus - Client Module.lnk = C:\Program Files\Print Manager Plus - Client\CheckPages.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O15 - Trusted Zone: ftp.woolpert.com
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Laura%20Jones%20and%20the%20Gates%20of%20Good%20and%20Evil/Images/stg_drm.ocx
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
    O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - http://www.streamplug.com/StreamPlug/beta/SP.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
    O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h20264.www2.hp.com/ediags/dd/install/guidedsolutions.cab
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72909.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Doggie%20Dash/Images/armhelper.ocx
    O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://iplay.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ensr.webex.com/client/T25L/webex/ieatgpc.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retec.retecnet.com
    O17 - HKLM\Software\..\Telephony: DomainName = retec.retecnet.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retec.retecnet.com
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: windows\ C:\WINDOWS\system32\ C:\WINDOWS\system32\raraporo.dll C:\WINDOWS\system32\ c:\windows\system32\ c:\windows\system32\niwuyoti.dll c:\windows\system32\rihuhavu.dll C:\WINDOWS\system32\fiyobubi.dll c:\windows\system32\ c:\windows\system32\vopeside.dll c:\windows\system32\jebikono.dll c:\windows\system32\devuwuku.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\devuwuku.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\devuwuku.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Hummingbird Proxy Server (ProxyEngine) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\8.00\Accessories\ProxyEngine.exe
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: SuperProServer - Unknown owner - C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

    --
    End of file - 23355 bytes
     
  2. taponay

    taponay Thread Starter

    Joined:
    Apr 28, 2009
    Messages:
    6
    bump

    please help. I know that each computer and case are different and the programs you use (combofix) can cause serious problems if not run correctly so I don't want to just follow the instructions given to someone else for these trojans (however, if this is your advice, I'll do it)
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Welcome to TSG!!

    Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System

    [​IMG]


    Download the file & save it as it's originally named.


    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

    Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.


    [​IMG]

    • Drag the setup package onto ComboFix.exe and drop it.
    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


      [​IMG]

    • At the next prompt, click 'Yes' to run the full ComboFix scan.
    • When the tool is finished, it will produce a report for you.
    Please post the C:\ComboFix.txt in your next reply.
     
  4. taponay

    taponay Thread Starter

    Joined:
    Apr 28, 2009
    Messages:
    6
    Hello and thanks for helping.

    I ran the combofix as asked:
    1st try: stalled
    2nd try: ran program, rebooted, sat with blue screen saying it was writing a log for over an hour but it never finished.
    3rd try: assumed programs stalled, reran combo fix, same thing occurred

    I have two reoccuring "errors" during my startup that I exit out of. This may be the reason for the long run times or stalls. These are a 'Solution Center' which looks for a disk (I believe it is related to my printer) and a 'Runner Error' which says "Runner file name (LogitechDesktopMessenger.exe) lacks a '-' (the app id separator)". If you could help me get rid of these errors as well, I would be grateful.

    I've posted the first combofix.txt file (from '2nd try') below even though it didn't finish. The file from the 3rd try was the same. If I need to wait longer than an hour, please let me know as I am also writing my thesis and cannot wait that long on this computer without running a program.

    *NOTE: I had to erase some of the log as it didn't fit within the 30000 character maximum. I erased the deleted files associated with a game called DinerDash and another called TriJinx (though I don't know this second one and did not know of it being on my computer). I left spaces below these deletions so you would know where it was deleted. My nephew downloaded the DinerDash game months ago and I had thought I removed it all from my system. I am surprised to see it was still on there.

    Combofix.txt

    ComboFix 09-05-08.03 - mboshek 05/09/2009 10:44:19.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1408 [GMT 2:00]
    Running from: C:\Documents and Settings\mboshek\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\mboshek\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    AV: F-Secure Anti-Virus for Workstations 7.10 *On-access scanning disabled* (Updated)
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\mboshek\Application Data\pidle
    C:\Documents and Settings\mboshek\Local Settings\Temporary Internet Files\fbk.sts
    C:\WINDOWS\Downloaded Program Files\DinerDash.1.0.0.89

    C:\WINDOWS\Downloaded Program Files\DinerDash2.1.0.0.55

    C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.67

    C:\WINDOWS\IE4 Error Log.txt
    C:\WINDOWS\system32\abokazuw.ini
    C:\WINDOWS\system32\aluwaget.ini
    C:\WINDOWS\system32\aramenud.ini
    C:\WINDOWS\system32\AutoRun.inf
    C:\WINDOWS\system32\azugokib.ini
    C:\WINDOWS\system32\bikoguza.dll
    C:\WINDOWS\system32\dajufiwe.exe
    C:\WINDOWS\system32\donusesu.dll
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\gizisuyo.dll
    C:\WINDOWS\system32\heniloza.dll
    C:\WINDOWS\system32\hugeloko.exe
    C:\WINDOWS\system32\leheziti.exe
    C:\WINDOWS\system32\luyehije.exe
    C:\WINDOWS\system32\oterarav.ini
    C:\WINDOWS\system32\Packet.dll
    C:\WINDOWS\system32\peliziru.dll
    C:\WINDOWS\system32\regsvr32.dll
    C:\WINDOWS\system32\rosotuse.dll
    C:\WINDOWS\system32\sadujoka.dll
    C:\WINDOWS\system32\sibofuda.exe
    C:\WINDOWS\system32\tegawula.dll
    C:\WINDOWS\system32\tehepepa.exe
    C:\WINDOWS\system32\tohedida.dll
    C:\WINDOWS\system32\varareto.dll
    C:\WINDOWS\system32\vudaviyi.dll
    C:\WINDOWS\system32\wpcap.dll
    C:\WINDOWS\system32\wuzakoba.dll
    C:\WINDOWS\system32\zawawije.dll
    C:\WINDOWS\system32\zusijowa.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2009-04-09 to 2009-05-09 )))))))))))))))))))))))))))))))
    .

    2009-04-30 08:39:03 . 2009-04-30 08:39:03 0 d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\HPAppData
    2009-04-30 08:33:06 . 2009-04-30 08:33:06 0 d-----w C:\Documents and Settings\LocalService\Application Data\HPAppData
    2009-04-28 13:46:43 . 2009-04-28 13:46:43 0 d-----w C:\Program Files\Trend Micro
    2009-04-27 20:45:52 . 2009-05-01 08:51:53 0 dc-h--w C:\Documents and Settings\All Users\Application Data\~0
    2009-04-27 20:45:35 . 2009-05-01 08:51:57 0 d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
    2009-04-27 20:27:26 . 2009-04-27 20:27:26 0 d-----w C:\Documents and Settings\mboshek\Application Data\Lavasoft
    2009-04-20 16:59:02 . 2009-04-20 16:59:02 0 d-----w C:\Program Files\iPod
    2009-04-20 16:58:55 . 2009-04-20 16:59:32 0 d-----w C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-04-20 16:58:55 . 2009-04-20 16:59:32 0 d-----w C:\Program Files\iTunes
    2009-04-16 06:42:34 . 2009-03-06 14:22:18 284160 ------w C:\WINDOWS\system32\dllcache\pdh.dll
    2009-04-16 06:42:33 . 2009-02-06 10:39:08 35328 ------w C:\WINDOWS\system32\dllcache\sc.exe
    2009-04-16 06:42:33 . 2009-02-09 12:10:48 401408 ------w C:\WINDOWS\system32\dllcache\rpcss.dll
    2009-04-16 06:42:33 . 2009-02-06 11:11:05 110592 ------w C:\WINDOWS\system32\dllcache\services.exe
    2009-04-16 06:42:33 . 2009-02-09 12:10:48 473600 ------w C:\WINDOWS\system32\dllcache\fastprox.dll
    2009-04-16 06:42:32 . 2009-02-06 10:10:02 227840 ------w C:\WINDOWS\system32\dllcache\wmiprvse.exe
    2009-04-16 06:42:32 . 2009-02-09 12:10:48 453120 ------w C:\WINDOWS\system32\dllcache\wmiprvsd.dll
    2009-04-16 06:42:31 . 2009-02-09 12:10:49 729088 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2009-04-16 06:42:31 . 2009-02-09 12:10:48 617472 ------w C:\WINDOWS\system32\dllcache\advapi32.dll
    2009-04-16 06:42:31 . 2009-02-09 12:10:48 714752 ------w C:\WINDOWS\system32\dllcache\ntdll.dll
    2009-04-16 06:41:35 . 2008-05-03 11:55:36 2560 ------w C:\WINDOWS\system32\xpsp4res.dll
    2009-04-16 06:41:34 . 2008-04-21 12:08:15 215552 ------w C:\WINDOWS\system32\dllcache\wordpad.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-09 08:58:41 . 2008-03-12 20:31:59 0 d-----w C:\Program Files\DNA
    2009-05-09 08:52:49 . 2007-12-03 08:54:05 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
    2009-05-09 08:52:45 . 2008-02-05 20:58:54 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
    2009-05-09 08:50:38 . 2005-11-16 19:06:45 12 ----a-w C:\WINDOWS\bthservsdp.dat
    2009-05-07 19:05:59 . 2009-02-07 19:05:28 48128 --sha-w C:\WINDOWS\system32\nusayuku.dll
    2009-05-07 08:24:50 . 2009-05-07 08:24:50 104 ----a-w C:\Program Files\phroqlu.txt
    2009-05-05 09:33:28 . 2009-02-05 09:33:25 79872 ----a-w C:\WINDOWS\system32\mabovamo.dll
    2009-05-04 20:16:07 . 2009-05-04 20:16:07 172 ----a-w C:\Program Files\mequmv.txt
    2009-05-03 11:29:23 . 2007-08-06 17:45:57 0 d-----w C:\Program Files\DivX
    2009-05-03 11:15:56 . 2009-05-03 11:15:56 240 ----a-w C:\Program Files\whpu.txt
    2009-05-03 09:58:49 . 2005-03-21 15:34:27 0 d-----w C:\Program Files\Viewpoint
    2009-04-27 19:18:57 . 2009-04-27 19:18:57 376 ----a-w C:\Program Files\cifgcgm.txt
    2009-04-20 16:58:59 . 2007-08-05 21:59:15 0 d-----w C:\Program Files\Common Files\Apple
    2009-04-07 09:09:58 . 2008-05-22 21:10:59 0 d-----w C:\Program Files\AutoCAD LT 2004
    2009-04-06 18:43:09 . 2008-03-16 15:53:48 0 d-----w C:\Program Files\Delft-Chess
    2009-03-28 20:18:06 . 2008-03-01 20:35:14 137607 ----a-w C:\WINDOWS\HPHins15.dat
    2009-03-23 23:01:00 . 2009-03-23 23:07:44 410984 ----a-w C:\WINDOWS\system32\deploytk.dll
    2009-03-23 23:00:48 . 2008-08-21 15:44:58 0 d-----w C:\Program Files\Java
    2009-03-20 13:52:49 . 2008-12-16 22:26:09 0 d-----w C:\Program Files\Carr Software
    2009-03-20 08:23:34 . 2009-03-20 08:23:34 0 d-----w C:\Program Files\Bonjour
    2009-03-20 08:22:33 . 2009-03-20 08:21:37 0 d-----w C:\Program Files\QuickTime
    2009-03-19 14:32:48 . 2008-01-29 10:01:28 23400 ----a-w C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
    2009-03-06 14:22:18 . 1980-01-01 08:00:00 284160 ----a-w C:\WINDOWS\system32\pdh.dll
    2009-03-04 21:22:55 . 2005-01-27 15:50:55 101112 ----a-w C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-03-04 16:29:25 . 2009-03-04 16:29:25 5607 ----a-w C:\WINDOWS\~GLH0001.TMP
    2009-03-04 16:29:25 . 2009-03-04 16:29:24 137504 ----a-w C:\WINDOWS\~GLC0001.TMP
    2009-03-04 15:44:02 . 2009-03-04 15:44:02 6656 ----a-w C:\WINDOWS\system32\haspvdd.dll
    2009-03-04 15:44:02 . 2009-03-04 15:44:02 47616 ----a-w C:\WINDOWS\system32\drivers\Haspnt.sys
    2009-03-04 15:44:02 . 2009-03-04 15:44:02 383 ----a-w C:\WINDOWS\system32\haspdos.sys
    2009-03-04 15:30:54 . 2009-03-04 15:30:54 5607 ----a-w C:\WINDOWS\~GLH0000.TMP
    2009-03-04 15:30:54 . 2009-03-04 15:30:54 137504 ----a-w C:\WINDOWS\~GLC0000.TMP
    2009-03-03 00:18:25 . 1980-01-01 08:00:00 826368 ----a-w C:\WINDOWS\system32\wininet.dll
    2009-02-20 18:09:38 . 2005-01-27 15:43:08 78336 ----a-w C:\WINDOWS\system32\ieencode.dll
    2009-02-09 12:10:49 . 1980-01-01 08:00:00 729088 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2009-02-09 12:10:48 . 1980-01-01 08:00:00 714752 ----a-w C:\WINDOWS\system32\ntdll.dll
    2009-02-09 12:10:48 . 1980-01-01 08:00:00 617472 ----a-w C:\WINDOWS\system32\advapi32.dll
    2009-02-09 12:10:48 . 1980-01-01 08:00:00 401408 ----a-w C:\WINDOWS\system32\rpcss.dll
    2009-02-09 11:13:27 . 1980-01-01 08:00:00 1846784 ----a-w C:\WINDOWS\system32\win32k.sys
    2008-05-24 20:42:31 . 2008-05-24 20:42:31 0 ----a-w C:\Program Files\temp01
    2009-01-28 08:07:46 . 2009-01-28 08:07:46 50176 --sha-w C:\WINDOWS\system32\fiyobubi.dll.tmp
    2009-02-07 19:07:00 . 2009-02-07 19:07:00 48128 --sha-w C:\WINDOWS\system32\godudona.dll
    2009-02-07 19:07:00 . 2009-02-07 19:07:00 48128 --sha-w C:\WINDOWS\system32\nuwolili.dll
    2009-02-07 19:07:00 . 2009-02-07 19:07:00 48128 --sha-w C:\WINDOWS\system32\voripuwi.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17d7c9e6-abd4-4d00-9c7d-2a9094eaf44d}]
    2009-02-07 19:07:00 48128 --sha-w C:\WINDOWS\system32\godudona.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 10:54:56 5674352]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-09 17:17:07 68856]
    "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-12-19 22:49:33 342848]
    "ibmmessages"="C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 10:01:00 442368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 21:17:28 110592]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 21:16:28 512000]
    "TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 02:04:44 864256]
    "TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 22:03:44 94208]
    "EZEJMNAP"="C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 09:22:00 237568]
    "ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 04:00:00 344064]
    "UC_Start"="C:\Program Files\IBM\Updater\\ucstartup.exe" [2004-07-15 00:34:18 36864]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 09:01:00 110592]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-09-02 09:05:00 127035]
    "ibmmessages"="C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 10:01:00 442368]
    "SSC_UserPrompt"="c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 01:23:14 218240]
    "BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 07:38:00 110592]
    "BMMLREF"="C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 07:38:00 20480]
    "BMMMONWND"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 07:38:00 396288]
    "BLOG"="C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 07:38:00 208896]
    "QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 09:07:00 86016]
    "SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 16:11:10 1388544]
    "PRONoMgrWired"="C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 22:08:00 86016]
    "TPKBDLED"="C:\WINDOWS\system32\TpScrLk.exe" [2002-10-09 05:28:42 40960]
    "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 08:14:58 155648]
    "OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 21:19:40 69632]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 03:26:04 52896]
    "WFXSwtch"="C:\PROGRA~1\WinFax\WFXSWTCH.exe" [2001-09-10 20:03:56 27648]
    "Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 02:09:24 1537648]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 20:34:40 49152]
    "F-Secure Manager"="C:\Program Files\F-Secure\Common\FSM32.EXE" [2007-10-05 09:35:10 182952]
    "F-Secure TNB"="C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" [2007-10-05 09:35:02 895600]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2009-04-02 14:11:02 342312]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-03-23 23:01:12 136600]
    "dabujidefe"="C:\WINDOWS\system32\nuwolili.dll" [2009-02-07 19:07:00 48128]
    "S3TRAY2"="S3Tray2.exe" - C:\WINDOWS\system32\S3Tray2.exe [2001-10-12 07:32:36 69632]
    "TpShocks"="TpShocks.exe" - C:\WINDOWS\system32\TpShocks.exe [2005-11-07 18:14:16 106496]
    "TP4EX"="tp4ex.exe" - C:\WINDOWS\system32\TP4EX.exe [2005-10-17 08:11:00 65536]
    "BluetoothAuthenticationAgent"="bthprops.cpl" - C:\WINDOWS\system32\bthprops.cpl [2008-04-14 00:12:41 110592]
    "WinFaxAppPortStarter"="wfxsnt40.exe" - C:\WINDOWS\system32\WFXSNT40.EXE [2001-09-10 20:03:55 45568]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
    AutoCAD Startup Accelerator.lnk - C:\Program Files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
    Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2009-2-9 1544984]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-6-29 24576]
    HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-3 67128]
    Print Manager Plus - Client Module.lnk - C:\Program Files\Print Manager Plus - Client\CheckPages.exe [2006-4-17 258048]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-3-21 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "C:\Program Files\WinFax\WfxSeh32.Dll" [1998-07-27 11:54:06 38400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2004-07-14 05:14:08 24673 ------w C:\WINDOWS\system32\ckpNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-03-18 09:07:00 262144 ------w C:\WINDOWS\system32\QConGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45:08 28672 ------w C:\WINDOWS\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16:02 24576 ------w C:\WINDOWS\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=C:\WINDOWS\system32\voripuwi.dll c:\windows\system32\vudaviyi.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli C:\WINDOWS\system32\voripuwi.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
    "Script"=AddDesktopSupport.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-823518204-1417001333-4780\Scripts\Logon\0\0]
    "Script"=RETEC master r2.0a.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-823518204-1417001333-500\Scripts\Logon\0\0]
    "Script"=RETEC master r2.0a.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-823518204-1417001333-81111\Scripts\Logon\0\0]
    "Script"=RETEC master r2.0a.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Print Manager Plus - Client\\CheckPages.exe"=
    "C:\\Program Files\\BitTorrent_DNA\\dna.exe"=
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\MSN Messenger\\livecall.exe"=
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "C:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
    "C:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
    "C:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
    "C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
    "C:\\Program Files\\NetMeeting\\conf.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "C:\\Program Files\\Hummingbird\\Connectivity\\8.00\\Exceed\\exceed.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=
    "C:\\WINDOWS\\system32\\WgaTray.exe"=
    "C:\\Program Files\\F-Secure\\Anti-Virus\\fsav32.exe"=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "C:\\WINDOWS\\system32\\winlogon.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\shockprf.sys [1/27/2005 5:56:01 PM 85760]
    R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [1/27/2005 5:56:01 PM 4736]
    R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\TPPWR.SYS [1/27/2005 6:20:49 PM 16384]
    R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\drivers\scap.sys [5/13/2006 12:52:36 AM 17456]
    R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [5/13/2006 12:52:36 AM 670128]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\F-Secure\Anti-Virus\minifilter\fsgk.sys [5/6/2008 9:07:19 PM 62064]
    R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\drivers\fw.sys [5/13/2006 12:52:58 AM 2041904]
    R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);C:\WINDOWS\system32\drivers\RMSPPPOE.SYS [10/3/2002 1:09:08 AM 31424]
    S0 fjetlrmn;fjetlrmn;C:\WINDOWS\system32\drivers\ctxpb.sys --> C:\WINDOWS\system32\drivers\ctxpb.sys [?]
    S0 hogxk;hogxk;C:\WINDOWS\system32\drivers\rezuhi.sys --> C:\WINDOWS\system32\drivers\rezuhi.sys [?]
    S0 hxfarrmf;hxfarrmf;C:\WINDOWS\system32\drivers\nbwcwiv.sys --> C:\WINDOWS\system32\drivers\nbwcwiv.sys [?]
    S0 Iklaf;Iklaf;C:\WINDOWS\system32\drivers\yqeu.sys --> C:\WINDOWS\system32\drivers\yqeu.sys [?]
    S0 lpqbw;lpqbw;C:\WINDOWS\system32\drivers\mzgfvehz.sys --> C:\WINDOWS\system32\drivers\mzgfvehz.sys [?]
    S0 noasqmm;noasqmm;C:\WINDOWS\system32\drivers\qpbb.sys --> C:\WINDOWS\system32\drivers\qpbb.sys [?]
    S0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys --> C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys [?]
    S0 nynwh;nynwh;C:\WINDOWS\system32\drivers\upuxgig.sys --> C:\WINDOWS\system32\drivers\upuxgig.sys [?]
    S0 oynvw;oynvw;C:\WINDOWS\system32\drivers\wpixdk.sys --> C:\WINDOWS\system32\drivers\wpixdk.sys [?]
    S0 pugudet;pugudet;C:\WINDOWS\system32\drivers\gldliae.sys --> C:\WINDOWS\system32\drivers\gldliae.sys [?]
    S0 qlnpqium;qlnpqium;C:\WINDOWS\system32\drivers\lqprnd.sys --> C:\WINDOWS\system32\drivers\lqprnd.sys [?]
    S0 rycf;rycf;C:\WINDOWS\system32\drivers\ojbn.sys --> C:\WINDOWS\system32\drivers\ojbn.sys [?]
    S0 wjgpahz;wjgpahz;C:\WINDOWS\system32\drivers\ihfyunfg.sys --> C:\WINDOWS\system32\drivers\ihfyunfg.sys [?]
    S3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\drivers\MovRVDrv32.sys [11/13/2007 3:50:53 PM 2688]
    S3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys [11/13/2007 3:05:38 PM 513152]
    S3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\drivers\MusCVideo32.sys [11/13/2007 3:05:38 PM 2688]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;C:\WINDOWS\system32\drivers\ndisprot.sys [11/14/2008 2:09:42 PM 27904]
    S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\drivers\OMVA.sys [5/13/2006 12:52:58 AM 14924]
    S3 ProxyEngine;Hummingbird Proxy Server;C:\Program Files\Hummingbird\Connectivity\8.00\Accessories\ProxyEngine.exe [3/4/2009 3:46:32 PM 118784]
    S3 QCNDISIF;QCNDISIF;C:\WINDOWS\system32\drivers\qcndisif.sys [1/27/2005 6:18:36 PM 12288]
    S3 Rockey_USB;Feitian ROCKEY4 USB Service;C:\WINDOWS\system32\drivers\Rockey4USB.sys [2/13/2004 10:41:58 PM 12928]
    S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\F-Secure\Anti-Virus\win2k\fsfilter.sys [5/6/2008 9:07:19 PM 39792]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\F-Secure\Anti-Virus\win2k\fsrec.sys [5/6/2008 9:07:19 PM 25200]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01e2aeea-a69e-11dd-9af4-0012f0b75460}]
    \Shell\AutoRun\command - qquq.bat
    \Shell\explore\Command - qquq.bat
    \Shell\open\Command - qquq.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c04a08f-614b-11dc-9a8a-0012f0b75460}]
    \Shell\AutoRun\command - b.com
    \Shell\explore\Command - b.com
    \Shell\open\Command - b.com

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dc17cd0-98fb-11dd-9aee-0012f0b75460}]
    \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e643564-9204-11dc-9a9a-0012f0b75460}]
    \Shell\AutoRun\command - D:\loader.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 15:57:18 . 2008-07-30 10:34:12]
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.




    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



    Please do an online scan with Kaspersky WebScanner

    Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

    • Read through the requirements and privacy statement and click on Accept button.
    • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    • When the downloads have finished, click on Settings.
    • Make sure the following is checked.
      • Spyware, Adware, Dialers, and other potentially dangerous programs
        [*]Archives
        [*]Mail databases
    • Click on My Computer under Scan.
    • Once the scan is complete, it will display the results. Click on View Scan Report.
    • You will see a list of infected items there. Click on Save Report As....
    • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
    • Please post this log in your next reply.


    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
    • Click the "Download" button to the right.
    • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
    • Click on Continue.
    • Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator".)
     
  6. taponay

    taponay Thread Starter

    Joined:
    Apr 28, 2009
    Messages:
    6
    Malwarebytes' Anti-Malware 1.36
    Database version: 2105
    Windows 5.1.2600 Service Pack 3

    5/10/2009 10:40:15 PM
    mbam-log-2009-05-10 (22-40-15).txt

    Scan type: Quick Scan
    Objects scanned: 112834
    Time elapsed: 11 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 5
    Registry Keys Infected: 5
    Registry Values Infected: 2
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 8

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\nipusesi.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\lukonoke.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\nuwolili.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\godudona.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\voripuwi.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17d7c9e6-abd4-4d00-9c7d-2a9094eaf44d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{17d7c9e6-abd4-4d00-9c7d-2a9094eaf44d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{17d7c9e6-abd4-4d00-9c7d-2a9094eaf44d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a0e44c46 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dabujidefe (Trojan.Vundo.H) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\voripuwi.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\voripuwi.dll -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\lukonoke.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\ekonokul.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nipusesi.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\isesupin.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nuwolili.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\godudona.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\voripuwi.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\nusayuku.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:44:53 AM, on 5/11/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16827)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\ibmpmsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Executive Software\Diskeeper\DkService.exe
    C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
    C:\Program Files\F-Secure\Common\FSMA32.EXE
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\F-Secure\Common\FSMB32.EXE
    C:\WINDOWS\system32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    C:\Program Files\F-Secure\Common\FCH32.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    C:\Program Files\F-Secure\Common\FAMEH32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fsqh.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
    C:\WINDOWS\System32\TPHDEXLG.EXE
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\system32\WFXSVC.EXE
    C:\Program Files\WinFax\WFXMOD32.EXE
    C:\WINDOWS\system32\CCM\CcmExec.exe
    c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\F-Secure\Common\FNRB32.EXE
    C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
    C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    C:\Program Files\F-Secure\Common\FIH32.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\TpScrLk.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\WinFax\WFXSWTCH.exe
    C:\WINDOWS\system32\wfxsnt40.exe
    C:\Program Files\Norton Ghost\Agent\GhostTray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\F-Secure\Common\FSM32.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\F-Secure\FSGUI\fsguidll.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Print Manager Plus - Client\CheckPages.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\Program Files\Logitech\QuickCam\Quickcam.exe
    C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
    C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPKBDLED] C:\WINDOWS\system32\TpScrLk.exe
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exe
    O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
    O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CPMa3d77fda] Rundll32.exe "c:\windows\system32\hupahofe.dll",a
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
    O4 - Global Startup: Print Manager Plus - Client Module.lnk = C:\Program Files\Print Manager Plus - Client\CheckPages.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O15 - Trusted Zone: ftp.woolpert.com
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Laura%20Jones%20and%20the%20Gates%20of%20Good%20and%20Evil/Images/stg_drm.ocx
    O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
    O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - http://www.streamplug.com/StreamPlug/beta/SP.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
    O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
    O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
    O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab72909.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Doggie%20Dash/Images/armhelper.ocx
    O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://iplay.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://ensr.webex.com/client/T25L/webex/ieatgpc.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {EA6246B4-F380-443F-8727-9AEA3371146C} (CPlayFirstWeddingDashControl Object) - http://www.shockwave.com/content/weddingdash/sis/WeddingDash.1.0.0.47.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retec.retecnet.com
    O17 - HKLM\Software\..\Telephony: DomainName = retec.retecnet.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retec.retecnet.com
    O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    O20 - AppInit_DLLs: c:\windows\system32\hupahofe.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hupahofe.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hupahofe.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
    O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
    O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB71\webserver\bin\win32\matlabserver.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
    O23 - Service: Hummingbird Proxy Server (ProxyEngine) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\8.00\Accessories\ProxyEngine.exe
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
    O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
    O23 - Service: SuperProServer - Unknown owner - C:\Program Files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
    O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
    O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

    --
    End of file - 22257 bytes


    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7.0 REPORT
    Monday, May 11, 2009
    Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
    Kaspersky Online Scanner version: 7.0.26.13
    Program database last update: Sunday, May 10, 2009 23:13:16
    Records in database: 2156538
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    C:\
    D:\
    F:\
    Z:\

    Scan statistics:
    Files scanned: 240356
    Threat name: 3
    Infected objects: 3
    Suspicious objects: 0
    Duration of the scan: 08:20:57


    File name / Threat name / Threats count
    F:\autorun.0nf Infected: Worm.Win32.AutoRun.sks 1
    F:\ij.0at Infected: Trojan.Win32.Agent.aqvz 1
    F:\qquq.bat Infected: Packed.Win32.Krap.b 1

    The selected area was scanned.
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Open Notepad and copy and paste the text in the code box below into it:
    Code:
    File::
    F:\autorun.0nf
    F:\ij.0at
    F:\qquq.bat
    c:\windows\system32\hupahofe.dll
    
    

    Save this as CFScript.txt, in the same location as ComboFix.exe

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply.
     
  8. taponay

    taponay Thread Starter

    Joined:
    Apr 28, 2009
    Messages:
    6
    Hello again,

    The F:\ drive is actually a thumb drive so when I saw that some viruses were on there, I erased the entire drive, rescanned it with Kaspersky, and it came up clean so I ignored that part of the Combofix script.

    Upon restarting the computer, I did receive an error message that my startup was missing the file you asked me to delete (hupahofe.dll). Not sure this is normal.

    The log is presented below again with the game deletions reduced so that the post can fit.


    ComboFix 09-05-08.03 - mboshek 05/12/2009 22:06.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1470 [GMT 2:00]
    Running from: c:\documents and settings\mboshek\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\mboshek\Desktop\CFScript.txt
    AV: F-Secure Anti-Virus for Workstations 7.10 *On-access scanning disabled* (Updated)

    FILE ::
    c:\windows\system32\hupahofe.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\dakulilo.dll
    c:\windows\system32\fekabaku.dll
    c:\windows\system32\fuzoyalu.dll
    c:\windows\system32\hupahofe.dll
    c:\windows\system32\olilukad.ini
    .
    ---- Previous Run -------
    .
    c:\documents and settings\mboshek\Application Data\pidle
    c:\documents and settings\mboshek\Local Settings\Temporary Internet Files\fbk.sts
    c:\windows\Downloaded Program Files\DinerDash.1.0.0.89

    c:\windows\Downloaded Program Files\DinerDash2.1.0.0.55

    c:\windows\Downloaded Program Files\TriJinx.1.0.0.67

    c:\windows\IE4 Error Log.txt
    c:\windows\system32\abokazuw.ini
    c:\windows\system32\aluwaget.ini
    c:\windows\system32\aramenud.ini
    c:\windows\system32\AutoRun.inf
    c:\windows\system32\azugokib.ini
    c:\windows\system32\bikoguza.dll
    c:\windows\system32\dajufiwe.exe
    c:\windows\system32\donusesu.dll
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\gizisuyo.dll
    c:\windows\system32\heniloza.dll
    c:\windows\system32\hugeloko.exe
    c:\windows\system32\leheziti.exe
    c:\windows\system32\luyehije.exe
    c:\windows\system32\oterarav.ini
    c:\windows\system32\Packet.dll
    c:\windows\system32\peliziru.dll
    c:\windows\system32\regsvr32.dll
    c:\windows\system32\rosotuse.dll
    c:\windows\system32\sadujoka.dll
    c:\windows\system32\sibofuda.exe
    c:\windows\system32\tegawula.dll
    c:\windows\system32\tehepepa.exe
    c:\windows\system32\tohedida.dll
    c:\windows\system32\varareto.dll
    c:\windows\system32\vudaviyi.dll
    c:\windows\system32\wpcap.dll
    c:\windows\system32\wuzakoba.dll
    c:\windows\system32\zawawije.dll
    c:\windows\system32\zusijowa.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
    .

    2009-04-30 08:39 . 2009-04-30 08:39 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\HPAppData
    2009-04-30 08:33 . 2009-04-30 08:33 -------- d-----w c:\documents and settings\LocalService\Application Data\HPAppData
    2009-04-28 13:46 . 2009-04-28 13:46 -------- d-----w c:\program files\Trend Micro
    2009-04-27 20:45 . 2009-05-01 08:51 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
    2009-04-27 20:45 . 2009-05-01 08:51 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
    2009-04-27 20:27 . 2009-04-27 20:27 -------- d-----w c:\documents and settings\mboshek\Application Data\Lavasoft
    2009-04-20 16:59 . 2009-04-20 16:59 -------- d-----w c:\program files\iPod
    2009-04-20 16:58 . 2009-04-20 16:59 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
    2009-04-20 16:58 . 2009-04-20 16:59 -------- d-----w c:\program files\iTunes
    2009-04-16 06:42 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
    2009-04-16 06:42 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
    2009-04-16 06:42 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
    2009-04-16 06:42 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
    2009-04-16 06:42 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
    2009-04-16 06:42 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
    2009-04-16 06:42 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
    2009-04-16 06:42 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
    2009-04-16 06:42 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
    2009-04-16 06:42 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
    2009-04-16 06:41 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
    2009-04-16 06:41 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-05-12 20:14 . 2007-12-03 08:54 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
    2009-05-12 20:14 . 2008-02-05 20:58 0 ----a-w c:\windows\system32\drivers\logiflt.iad
    2009-05-12 20:12 . 2005-11-16 19:06 12 ----a-w c:\windows\bthservsdp.dat
    2009-05-12 20:02 . 2008-03-12 20:31 -------- d-----w c:\program files\DNA
    2009-05-10 21:01 . 2009-03-23 23:07 410984 ----a-w c:\windows\system32\deploytk.dll
    2009-05-10 20:25 . 2008-11-14 12:48 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
    2009-05-07 08:24 . 2009-05-07 08:24 104 ----a-w c:\program files\phroqlu.txt
    2009-05-05 09:33 . 2009-02-05 09:33 79872 ----a-w c:\windows\system32\mabovamo.dll
    2009-05-04 20:16 . 2009-05-04 20:16 172 ----a-w c:\program files\mequmv.txt
    2009-05-03 11:29 . 2007-08-06 17:45 -------- d-----w c:\program files\DivX
    2009-05-03 11:15 . 2009-05-03 11:15 240 ----a-w c:\program files\whpu.txt
    2009-05-03 09:58 . 2005-03-21 15:34 -------- d-----w c:\program files\Viewpoint
    2009-04-27 19:18 . 2009-04-27 19:18 376 ----a-w c:\program files\cifgcgm.txt
    2009-04-20 16:58 . 2007-08-05 21:59 -------- d-----w c:\program files\Common Files\Apple
    2009-04-07 09:09 . 2008-05-22 21:10 -------- d-----w c:\program files\AutoCAD LT 2004
    2009-04-06 18:43 . 2008-03-16 15:53 -------- d-----w c:\program files\Delft-Chess
    2009-04-06 13:32 . 2008-11-14 12:48 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
    2009-04-06 13:32 . 2008-11-14 12:48 15504 ----a-w c:\windows\system32\drivers\mbam.sys
    2009-03-28 20:18 . 2008-03-01 20:35 137607 ----a-w c:\windows\HPHins15.dat
    2009-03-23 23:00 . 2008-08-21 15:44 -------- d-----w c:\program files\Java
    2009-03-20 13:52 . 2008-12-16 22:26 -------- d-----w c:\program files\Carr Software
    2009-03-20 08:23 . 2009-03-20 08:23 -------- d-----w c:\program files\Bonjour
    2009-03-20 08:22 . 2009-03-20 08:21 -------- d-----w c:\program files\QuickTime
    2009-03-19 14:32 . 2008-01-29 10:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
    2009-03-06 14:22 . 1980-01-01 08:00 284160 ----a-w c:\windows\system32\pdh.dll
    2009-03-04 21:22 . 2005-01-27 15:50 101112 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-03-04 16:29 . 2009-03-04 16:29 5607 ----a-w c:\windows\~GLH0001.TMP
    2009-03-04 16:29 . 2009-03-04 16:29 137504 ----a-w c:\windows\~GLC0001.TMP
    2009-03-04 15:44 . 2009-03-04 15:44 6656 ----a-w c:\windows\system32\haspvdd.dll
    2009-03-04 15:44 . 2009-03-04 15:44 47616 ----a-w c:\windows\system32\drivers\Haspnt.sys
    2009-03-04 15:44 . 2009-03-04 15:44 383 ----a-w c:\windows\system32\haspdos.sys
    2009-03-04 15:30 . 2009-03-04 15:30 5607 ----a-w c:\windows\~GLH0000.TMP
    2009-03-04 15:30 . 2009-03-04 15:30 137504 ----a-w c:\windows\~GLC0000.TMP
    2009-03-03 00:18 . 1980-01-01 08:00 826368 ----a-w c:\windows\system32\wininet.dll
    2009-02-20 18:09 . 2005-01-27 15:43 78336 ----a-w c:\windows\system32\ieencode.dll
    2008-05-24 20:42 . 2008-05-24 20:42 0 ----a-w c:\program files\temp01
    2009-01-28 08:07 . 2009-01-28 08:07 50176 --sha-w c:\windows\system32\fiyobubi.dll.tmp
    .

    ((((((((((((((((((((((((((((( [email protected]_08.57.31 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-05-12 20:15 . 2009-05-12 20:15 16384 c:\windows\Temp\Perflib_Perfdata_5a4.dat
    + 2009-05-12 20:15 . 2009-05-12 20:15 16384 c:\windows\Temp\Perflib_Perfdata_580.dat
    - 2009-05-03 11:31 . 2009-03-23 23:01 148888 c:\windows\system32\javaws.exe
    + 2009-05-10 21:02 . 2009-05-10 21:01 148888 c:\windows\system32\javaws.exe
    + 2009-05-10 21:02 . 2009-05-10 21:01 144792 c:\windows\system32\javaw.exe
    - 2009-05-03 11:31 . 2009-03-23 23:01 144792 c:\windows\system32\javaw.exe
    + 2009-05-10 21:02 . 2009-05-10 21:01 144792 c:\windows\system32\java.exe
    - 2009-05-03 11:31 . 2009-03-23 23:01 144792 c:\windows\system32\java.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-09 68856]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
    "ibmmessages"="c:\program files\IBM\Messages By IBM\ibmmessages.exe" [2004-07-22 442368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
    "TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2005-10-29 864256]
    "TPHOTKEY"="c:\progra~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-05-10 94208]
    "EZEJMNAP"="c:\progra~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" [2006-02-24 237568]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-26 344064]
    "UC_Start"="c:\program files\IBM\Updater\\ucstartup.exe" [2004-07-15 36864]
    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-09-02 127035]
    "ibmmessages"="c:\program files\IBM\Messages By IBM\\ibmmessages.exe" [2004-07-22 442368]
    "SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-08-06 218240]
    "BMMGAG"="c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll" [2005-04-20 110592]
    "BMMLREF"="c:\program files\ThinkPad\Utilities\BMMLREF.EXE" [2005-04-20 20480]
    "BMMMONWND"="c:\progra~1\ThinkPad\UTILIT~1\BatInfEx.dll" [2005-04-20 396288]
    "BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2005-04-20 208896]
    "QCWLICON"="c:\program files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [2005-03-18 86016]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]
    "PRONoMgrWired"="c:\program files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe" [2003-08-06 86016]
    "TPKBDLED"="c:\windows\system32\TpScrLk.exe" [2002-10-09 40960]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
    "WFXSwtch"="c:\progra~1\WinFax\WFXSWTCH.exe" [2001-09-10 27648]
    "Norton Ghost 10.0"="c:\program files\Norton Ghost\Agent\GhostTray.exe" [2005-09-10 1537648]
    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
    "F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2007-10-05 182952]
    "F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2007-10-05 895600]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-10 148888]
    "S3TRAY2"="S3Tray2.exe" - c:\windows\system32\S3Tray2.exe [2001-10-12 69632]
    "TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
    "TP4EX"="tp4ex.exe" - c:\windows\system32\TP4EX.exe [2005-10-17 65536]
    "UC_SMB"="" [BU]
    "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
    "WinFaxAppPortStarter"="wfxsnt40.exe" - c:\windows\system32\WFXSNT40.EXE [2001-09-10 45568]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]
    AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
    Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2009-2-9 1544984]
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-6-29 24576]
    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
    Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2007-12-3 67128]
    Print Manager Plus - Client Module.lnk - c:\program files\Print Manager Plus - Client\CheckPages.exe [2006-4-17 258048]
    WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2005-3-21 106560]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{A213B520-C6C2-11d0-AF9D-008029E1027E}"= "c:\program files\WinFax\WfxSeh32.Dll" [1998-07-27 38400]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
    2004-07-14 05:14 24673 ------w c:\windows\system32\ckpNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
    [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
    2005-03-18 09:07 262144 ------w c:\windows\system32\QConGina.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
    2005-07-06 06:45 28672 ------w c:\windows\system32\notifyf2.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
    2005-12-01 03:16 24576 ------w c:\windows\system32\tphklock.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\hupahofe.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
    "Script"=AddDesktopSupport.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-823518204-1417001333-4780\Scripts\Logon\0\0]
    "Script"=RETEC master r2.0a.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-823518204-1417001333-500\Scripts\Logon\0\0]
    "Script"=RETEC master r2.0a.vbs

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-448539723-823518204-1417001333-81111\Scripts\Logon\0\0]
    "Script"=RETEC master r2.0a.vbs

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Print Manager Plus - Client\\CheckPages.exe"=
    "c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\IBM\\Updater\\ucsmb.exe"=
    "c:\\Program Files\\IBM\\Updater\\jre\\bin\\javaw.exe"=
    "c:\\Program Files\\IBM\\Updater\\jre\\bin\\java.exe"=
    "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
    "c:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
    "c:\\Program Files\\NetMeeting\\conf.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\Hummingbird\\Connectivity\\8.00\\Exceed\\exceed.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\WINDOWS\\system32\\WgaTray.exe"=
    "c:\\Program Files\\F-Secure\\Anti-Virus\\fsav32.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [1/27/2005 5:56 PM 85760]
    R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [1/27/2005 5:56 PM 4736]
    R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [1/27/2005 6:20 PM 16384]
    R2 Scap;SecureClient Application Policy Module;c:\windows\system32\drivers\scap.sys [5/13/2006 12:52 AM 17456]
    R2 VPN-1;VPN-1 Module;c:\windows\system32\drivers\vpn.sys [5/13/2006 12:52 AM 670128]
    R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [5/6/2008 9:07 PM 62064]
    R3 FW1;SecuRemote Miniport;c:\windows\system32\drivers\fw.sys [5/13/2006 12:52 AM 2041904]
    R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/3/2002 1:09 AM 31424]
    S0 fjetlrmn;fjetlrmn;c:\windows\system32\drivers\ctxpb.sys --> c:\windows\system32\drivers\ctxpb.sys [?]
    S0 hogxk;hogxk;c:\windows\system32\drivers\rezuhi.sys --> c:\windows\system32\drivers\rezuhi.sys [?]
    S0 hxfarrmf;hxfarrmf;c:\windows\system32\drivers\nbwcwiv.sys --> c:\windows\system32\drivers\nbwcwiv.sys [?]
    S0 Iklaf;Iklaf;c:\windows\system32\drivers\yqeu.sys --> c:\windows\system32\drivers\yqeu.sys [?]
    S0 lpqbw;lpqbw;c:\windows\system32\drivers\mzgfvehz.sys --> c:\windows\system32\drivers\mzgfvehz.sys [?]
    S0 noasqmm;noasqmm;c:\windows\system32\drivers\qpbb.sys --> c:\windows\system32\drivers\qpbb.sys [?]
    S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
    S0 nynwh;nynwh;c:\windows\system32\drivers\upuxgig.sys --> c:\windows\system32\drivers\upuxgig.sys [?]
    S0 oynvw;oynvw;c:\windows\system32\drivers\wpixdk.sys --> c:\windows\system32\drivers\wpixdk.sys [?]
    S0 pugudet;pugudet;c:\windows\system32\drivers\gldliae.sys --> c:\windows\system32\drivers\gldliae.sys [?]
    S0 qlnpqium;qlnpqium;c:\windows\system32\drivers\lqprnd.sys --> c:\windows\system32\drivers\lqprnd.sys [?]
    S0 rycf;rycf;c:\windows\system32\drivers\ojbn.sys --> c:\windows\system32\drivers\ojbn.sys [?]
    S0 wjgpahz;wjgpahz;c:\windows\system32\drivers\ihfyunfg.sys --> c:\windows\system32\drivers\ihfyunfg.sys [?]
    S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [11/13/2007 3:50 PM 2688]
    S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [11/13/2007 3:05 PM 513152]
    S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [11/13/2007 3:05 PM 2688]
    S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [11/14/2008 2:09 PM 27904]
    S3 OMVA;VPN-1 SecureClient Adapter;c:\windows\system32\drivers\OMVA.sys [5/13/2006 12:52 AM 14924]
    S3 ProxyEngine;Hummingbird Proxy Server;c:\program files\Hummingbird\Connectivity\8.00\Accessories\ProxyEngine.exe [3/4/2009 3:46 PM 118784]
    S3 QCNDISIF;QCNDISIF;c:\windows\system32\drivers\qcndisif.sys [1/27/2005 6:18 PM 12288]
    S3 Rockey_USB;Feitian ROCKEY4 USB Service;c:\windows\system32\drivers\Rockey4USB.sys [2/13/2004 10:41 PM 12928]
    S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [5/6/2008 9:07 PM 39792]
    S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [5/6/2008 9:07 PM 25200]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{01e2aeea-a69e-11dd-9af4-0012f0b75460}]
    \Shell\AutoRun\command - qquq.bat
    \Shell\explore\Command - qquq.bat
    \Shell\open\Command - qquq.bat

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c04a08f-614b-11dc-9a8a-0012f0b75460}]
    \Shell\AutoRun\command - b.com
    \Shell\explore\Command - b.com
    \Shell\open\Command - b.com

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2dc17cd0-98fb-11dd-9aee-0012f0b75460}]
    \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Toy.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e643564-9204-11dc-9a9a-0012f0b75460}]
    \Shell\AutoRun\command - D:\loader.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 10:34]

    2005-05-04 c:\windows\Tasks\BMMTask.job
    - c:\progra~1\ThinkPad\UTILIT~1\BMMTASK.EXE [2005-01-27 07:38]

    2009-05-12 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-30 00:03]
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-CPMa3d77fda - c:\windows\system32\hupahofe.dll


    .
    ------- Supplementary Scan -------
    .
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: woolpert.com\ftp
    Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
    Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
    FF - ProfilePath - c:\documents and settings\mboshek\Application Data\Mozilla\Firefox\Profiles\2t3wxl6s.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
    FF - plugin: c:\documents and settings\mboshek\Application Data\Mozilla\Firefox\Profiles\2t3wxl6s.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071303000004.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-05-12 22:19
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-448539723-823518204-1417001333-81111\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_USERS\S-1-5-21-448539723-823518204-1417001333-81111\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:fe,4b,59,14,6f,94,da,0e,b8,8a,0a,58,a4,f3,fd,44,43,24,f8,9f,95,6e,f7,
    5e,aa,e1,6a,bf,fc,df,31,71,80,6e,cb,84,0b,ca,05,74,d7,29,22,cb,2e,9a,21,33,\
    "??"=hex:a6,2f,5a,b7,71,7e,9a,b2,96,16,fd,3e,0d,9d,e9,3f
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1760)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\tphklock.dll

    - - - - - - - > 'explorer.exe'(9172)
    c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    c:\progra~1\ThinkPad\UTILIT~1\pwrmonit.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ibmpmsvc.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\Intel\Wireless\Bin\EvtEng.exe
    c:\program files\Intel\Wireless\Bin\S24EvMon.exe
    c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Cisco Systems\VPN Client\cvpnd.exe
    c:\program files\Executive Software\Diskeeper\DkService.exe
    c:\program files\F-Secure\Anti-Virus\fsgk32st.exe
    c:\program files\F-Secure\common\FSMA32.EXE
    c:\program files\F-Secure\Anti-Virus\fsgk32.exe
    c:\windows\system32\gearsec.exe
    c:\windows\system32\Hummingbird\Connectivity\8.00\Inetd\inetd32.exe
    c:\program files\F-Secure\common\FSMB32.EXE
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
    c:\program files\F-Secure\common\FCH32.EXE
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Norton Ghost\Agent\VProSvc.exe
    c:\program files\F-Secure\common\FAMEH32.EXE
    c:\program files\F-Secure\Anti-Virus\fsqh.exe
    c:\windows\system32\QCONSVC.EXE
    c:\program files\Intel\Wireless\Bin\RegSrvc.exe
    c:\program files\Analog Devices\SoundMAX\SMAgent.exe
    c:\program files\CheckPoint\SecuRemote\bin\SR_Service.exe
    c:\program files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
    c:\program files\Rainbow Technologies\SPN Combo Installer\1.0.5\Server\WinNT\spnsrvnt.exe
    c:\windows\system32\TPHDEXLG.exe
    c:\windows\system32\TpKmpSvc.exe
    c:\windows\system32\WFXSVC.EXE
    c:\program files\WinFax\WFXMOD32.EXE
    c:\windows\system32\CCM\CcmExec.exe
    c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    c:\program files\F-Secure\common\FNRB32.exe
    c:\program files\F-Secure\Anti-Virus\fssm32.exe
    c:\program files\F-Secure\FSAUA\program\fsaua.exe
    c:\program files\F-Secure\common\FIH32.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
    c:\program files\CheckPoint\SecuRemote\bin\SR_GUI.exe
    c:\program files\Executive Software\Diskeeper\DfrgNTFS.exe
    c:\program files\F-Secure\Anti-Virus\fsav32.exe
    c:\program files\ThinkPad\UltraNav Wizard\UNavTray.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    c:\program files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\F-Secure\FSGUI\fsguidll.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\HP\Digital Imaging\bin\hpqste08.exe
    .
    **************************************************************************
    .
    Completion time: 2009-05-12 22:34 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-05-12 20:34

    Pre-Run: 9,158,443,008 bytes free
    Post-Run: 9,203,683,328 bytes free

    1258 --- E O F --- 2009-04-24 11:00
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    How is the machine running now?
     
  10. taponay

    taponay Thread Starter

    Joined:
    Apr 28, 2009
    Messages:
    6
    Computer seems to be much better, thank you. I ran another malwarebytes check and it came up clean. Beyond one or two virus notifications from F-Secure, the computer seems to run much faster and I don't have those annoying popups. Many thanks.
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Follow these steps to uninstall Combofix and tools used in the removal of malware
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]


    Now you should Clean up your PC


    If you have no other problems I can help you with feel free to use the Mark Solved button at the top of the page.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/823878

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice