16 replies to this topic

[SuperCB]

Hey guys, have 4 instances of vundo.h that like to return. Attached is the latest Mbam scan followed by hijack log. As always, thanks for the expert help.


Malwarebytes' Anti-Malware 1.36
Database version: 2074
Windows 5.1.2600 Service Pack 3

5/4/2009 3:04:54 PM
mbam-log-2009-05-04 (15-04-54).txt

Scan type: Quick Scan
Objects scanned: 92256
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b045f78e-4e59-40ae-8d3d-abfb7b2a6141} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dqjnwjye (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{b045f78e-4e59-40ae-8d3d-abfb7b2a6141} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\qcvzuib.dll (Trojan.Vundo.H) -> Delete on reboot.



--------------------------------------------
////////////////////////////////////////////
--------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:44 PM, on 5/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {B045F78E-4E59-40AE-8D3D-ABFB7B2A6141} - c:\windows\system32\qcvzuib.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1205158303703
(line omitted)
O20 - Winlogon Notify: dqjnwjye - C:\WINDOWS\SYSTEM32\qcvzuib.dll
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: LANDesk® Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LANDesk Policy Invoker - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LANDesk® Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe

--
End of file - 8129 bytes

[miekiemoes]

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[SuperCB]

Here she is, thanks again!

ComboFix 09-05-03.4 - Administrator 05/05/2009 10:41.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2872 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-01 23:10 . 2009-05-01 23:10 -------- d-----w c:\windows\system32\ldevents
2009-05-01 22:39 . 2009-05-01 22:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 22:39 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 22:39 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 22:39 . 2009-05-01 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 22:39 . 2009-05-01 22:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\documents and settings\NetworkService\Application Data\trsbxzae
2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\trsbxzae
2009-04-24 00:18 . 2009-04-24 00:38 -------- d-----w c:\documents and settings\(omitted)\Application Data\GetRightToGo
2009-04-13 21:03 . 2009-04-13 21:03 -------- d-----w c:\documents and settings\(omitted)\Local Settings\Application Data\Microsoft Help
2009-04-13 21:03 . 2009-04-15 16:55 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 21:02 . 2009-04-13 21:02 -------- d--h--r C:\MSOCache
2009-04-13 19:03 . 2009-04-13 19:03 -------- d-----w c:\documents and settings\All Users\Application Data\LANDesk
2009-04-13 18:36 . 2009-05-05 04:32 -------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-04-13 18:34 . 2009-04-13 19:03 -------- d-----w c:\windows\$ldcba8$
2009-04-13 18:34 . 2009-04-13 19:03 -------- d-----w C:\$ldcfg$
2009-04-13 16:33 . 2009-04-28 22:02 -------- d-----w c:\documents and settings\(omitted)\Local Settings\Application Data\(omitted)
2009-04-09 16:27 . 2009-04-09 18:34 -------- d-----w c:\program files\GodsWar Online
2009-04-09 16:26 . 2009-04-09 16:26 149932189 ----a-w C:\gw_setup_1.0.203.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 15:41 . 2004-08-11 23:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 23:10 . 2009-05-01 20:46 434 ----a-w c:\windows\Tasks\At3.job
2009-05-04 22:01 . 2009-05-04 22:01 -------- d-----w c:\program files\Trend Micro
2009-05-04 19:51 . 2009-05-01 22:30 434 ----a-w c:\windows\Tasks\At5.job
2009-05-04 19:51 . 2009-05-01 21:15 434 ----a-w c:\windows\Tasks\At4.job
2009-05-04 19:51 . 2009-05-01 20:22 434 ----a-w c:\windows\Tasks\At2.job
2009-05-04 19:51 . 2009-04-30 02:59 434 ----a-w c:\windows\Tasks\At1.job
2009-05-04 13:17 . 2009-01-13 23:29 -------- d-----w c:\program files\McAfee
2009-05-04 12:47 . 2008-02-29 03:34 -------- d-----w c:\program files\Java
2009-05-01 21:20 . 2008-03-10 19:19 -------- d-----w c:\program files\(omitted)
2009-05-01 07:00 . 2008-11-05 15:48 -------- d-----w c:\program files\Trillian
2009-04-13 21:12 . 2008-02-29 03:40 68840 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 21:09 . 2008-03-10 18:46 -------- d-----w c:\program files\Microsoft Works
2009-04-13 18:35 . 2009-04-13 18:35 -------- d-----w c:\program files\LANDesk
2009-04-09 20:39 . 2009-02-13 16:27 -------- d-----w c:\program files\MSECache
2009-03-09 10:19 . 2008-12-15 18:16 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_13.22.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-04 20:06 . 2009-05-04 20:06 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
+ 2004-08-11 23:00 . 2009-05-04 18:29 65044 c:\windows\system32\perfc009.dat
- 2004-08-11 23:00 . 2009-04-13 19:04 65044 c:\windows\system32\perfc009.dat
+ 2004-08-11 23:00 . 2009-05-04 18:29 410574 c:\windows\system32\perfh009.dat
- 2004-08-11 23:00 . 2009-04-13 19:04 410574 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B045F78E-4E59-40AE-8D3D-ABFB7B2A6141}]
2004-08-04 11:00 102400 ----a-w c:\windows\system32\qcvzuib.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2007-01-25 18:47 540672 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2007-01-25 18:47 540672 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2007-01-25 18:47 540672 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-03-10 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-07 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dqjnwjye]
2004-08-04 11:00 102400 ----a-w c:\windows\system32\qcvzuib.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R3 FSDelegator;FSDelegator;c:\windows\system32\DRIVERS\fsdelegator.sys [2008-02-28 35200]
S0 xzuqjzlw;xzuqjzlw;c:\windows\system32\drivers\xzuqjzlw.sys [2004-08-04 23424]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
S2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2008-06-02 155648]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [2008-05-30 331776]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
jpzdswim
.
Contents of the 'Scheduled Tasks' folder

2009-05-04 c:\windows\Tasks\At1.job
- c:\windows\system32\qcvzuib.dll [2004-08-11 11:00]

2009-05-04 c:\windows\Tasks\At2.job
- c:\windows\system32\qcvzuib.dll [2004-08-11 11:00]

2009-05-04 c:\windows\Tasks\At3.job
- c:\windows\system32\qcvzuib.dll [2004-08-11 11:00]

2009-05-04 c:\windows\Tasks\At4.job
- c:\windows\system32\qcvzuib.dll [2004-08-11 11:00]

2009-05-04 c:\windows\Tasks\At5.job
- c:\windows\system32\qcvzuib.dll [2004-08-11 11:00]
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 10:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3776)
c:\program files\Perforce\p4exp.dll
.
Completion time: 2009-05-05 10:43
ComboFix-quarantined-files.txt 2009-05-05 15:43
ComboFix2.txt 2009-05-04 23:10
ComboFix3.txt 2009-05-04 19:57
ComboFix4.txt 2009-05-04 13:23

Pre-Run: 151,890,984,960 bytes free
Post-Run: 151,875,416,064 bytes free

159 --- E O F --- 2009-04-15 16:55

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\qcvzuib.dll
c:\windows\system32\drivers\xzuqjzlw.sys
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
Folder::
c:\documents and settings\NetworkService\Application Data\trsbxzae
c:\documents and settings\NetworkService\Local Settings\Application Data\trsbxzae
NetSvc::
jpzdswim
Driver::
xzuqjzlw
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B045F78E-4E59-40AE-8D3D-ABFB7B2A6141}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dqjnwjye]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[SuperCB]

One more time!

ComboFix 09-05-03.4 - Administrator 05/05/2009 11:40.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2843 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\drivers\xzuqjzlw.sys
c:\windows\system32\qcvzuib.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\trsbxzae
c:\documents and settings\NetworkService\Application Data\trsbxzae\profiles.ini
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\cert8.db
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\key3.db
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\prefs.js
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\secmod.db
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\trsbxzae\Profiles\wscrxa0o.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\trsbxzae
c:\documents and settings\NetworkService\Local Settings\Application Data\trsbxzae\Profiles\wscrxa0o.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\trsbxzae\Profiles\wscrxa0o.default\XPC.mfl
c:\windows\system32\drivers\xzuqjzlw.sys
c:\windows\system32\qcvzuib.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XZUQJZLW
-------\Service_xzuqjzlw


((((((((((((((((((((((((( Files Created from 2009-04-05 to 2009-05-05 )))))))))))))))))))))))))))))))
.

2009-05-04 22:01 . 2009-05-04 22:01 -------- d-----w c:\program files\Trend Micro
2009-05-01 23:10 . 2009-05-01 23:10 -------- d-----w c:\windows\system32\ldevents
2009-05-01 22:39 . 2009-05-01 22:39 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-01 22:39 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-01 22:39 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-01 22:39 . 2009-05-01 22:39 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-01 22:39 . 2009-05-01 22:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-24 00:18 . 2009-04-24 00:38 -------- d-----w c:\documents and settings\(omitted)\Application Data\GetRightToGo
2009-04-13 21:03 . 2009-04-13 21:03 -------- d-----w c:\documents and settings\(omitted)\Local Settings\Application Data\Microsoft Help
2009-04-13 21:03 . 2009-04-15 16:55 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-04-13 21:02 . 2009-04-13 21:02 -------- d--h--r C:\MSOCache
2009-04-13 19:03 . 2009-04-13 19:03 -------- d-----w c:\documents and settings\All Users\Application Data\LANDesk
2009-04-13 18:36 . 2009-05-05 04:32 -------- d-----w c:\documents and settings\All Users\Application Data\vulScan
2009-04-13 18:34 . 2009-04-13 19:03 -------- d-----w c:\windows\$ldcba8$
2009-04-13 18:34 . 2009-04-13 19:03 -------- d-----w C:\$ldcfg$
2009-04-13 16:33 . 2009-04-28 22:02 -------- d-----w c:\documents and settings\(omitted)\Local Settings\Application Data\(omitted)
2009-04-09 16:27 . 2009-04-09 18:34 -------- d-----w c:\program files\GodsWar Online
2009-04-09 16:26 . 2009-04-09 16:26 149932189 ----a-w C:\gw_setup_1.0.203.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-05 16:42 . 2004-08-11 23:20 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-04 13:17 . 2009-01-13 23:29 -------- d-----w c:\program files\McAfee
2009-05-04 12:47 . 2008-02-29 03:34 -------- d-----w c:\program files\Java
2009-05-01 21:20 . 2008-03-10 19:19 -------- d-----w c:\program files\(omitted)
2009-05-01 07:00 . 2008-11-05 15:48 -------- d-----w c:\program files\Trillian
2009-04-13 21:12 . 2008-02-29 03:40 68840 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-13 21:09 . 2008-03-10 18:46 -------- d-----w c:\program files\Microsoft Works
2009-04-13 18:35 . 2009-04-13 18:35 -------- d-----w c:\program files\LANDesk
2009-04-09 20:39 . 2009-02-13 16:27 -------- d-----w c:\program files\MSECache
2009-03-09 10:19 . 2008-12-15 18:16 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-05-04_13.22.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-05 16:42 . 2009-05-05 16:42 16384 c:\windows\Temp\Perflib_Perfdata_78c.dat
+ 2004-08-11 23:00 . 2009-05-04 18:29 65044 c:\windows\system32\perfc009.dat
- 2004-08-11 23:00 . 2009-04-13 19:04 65044 c:\windows\system32\perfc009.dat
+ 2004-08-11 23:00 . 2009-05-04 18:29 410574 c:\windows\system32\perfh009.dat
- 2004-08-11 23:00 . 2009-04-13 19:04 410574 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2007-01-25 18:47 540672 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2007-01-25 18:47 540672 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2007-01-25 18:47 540672 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-12 1015808]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-07 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-03-10 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-07 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

R3 FSDelegator;FSDelegator;c:\windows\system32\DRIVERS\fsdelegator.sys [2008-02-28 35200]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2007-06-20 79168]
S2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2008-06-02 155648]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
S2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [2008-05-30 331776]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - XZUQJZLW

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
uStart Page = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080229
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-05 11:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...


c:\docume~1\ADMINI~1\LOCALS~1\Temp\Perflib_Perfdata_268.dat 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2596)
c:\program files\Perforce\p4exp.dll
c:\windows\system32\ctagent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\windows\system32\CTXFISPI.EXE
c:\windows\system32\rundll32.exe
c:\program files\McAfee\Common Framework\McTray.exe
.
**************************************************************************
.
Completion time: 2009-05-05 11:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-05 16:44
ComboFix2.txt 2009-05-05 15:43
ComboFix3.txt 2009-05-04 23:10
ComboFix4.txt 2009-05-04 19:57
ComboFix5.txt 2009-05-05 16:40

Pre-Run: 151,887,790,080 bytes free
Post-Run: 151,798,276,096 bytes free

202 --- E O F --- 2009-04-15 16:55

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[SuperCB]

-Uninstalled combofix, restarted the machine
-Machine wouldn't load into Windows, would stop at black Windows loading screen, tried a few times
-Loaded into safe mode, no problem
-Was then able to load into Windows normally after getting into safe mode once
-Upon getting in, Windows had a "Advanced INF install" and said it needed to reboot to take effect.
-Let Mcaffee reinstall and ran an updated Mbam scan
-While Mbam was running, Mcaffee started complaining about someting called "Boaxxe", which I think was a Mbam quarantined file.
-Stopped the Mbam scan and deleted quarantined files
-Ran the Mbam scan again. No issues from either program.
-Mcaffee now yelling about "Boaxxe" again

[miekiemoes]

Can you let me know where McAfee is finding this Boaxxe? What place located and what the filename is...Because we already deleted it though...

[SuperCB]

Mcaffee is complaining about C:\windows\system32\qcvzuib.dll

[miekiemoes]

Are you sure it's present in the System32 folder and not in the C:\Qoobox\Quarantine\C\Windows\System32 folder? Because we already deleted that file previously with Combofix.

Anyway, since MalwareBytes should detect and delete this one as well, please update MalwareBytes (Update Button) and then perform a full scan with it. Disable McAfee during the scans, because it will interfere otherwise.

Let MalwareBytes reboot after the scan and post the new Malwarebytes log in your next reply together with a new HijackThislog;

[SuperCB]

I have a network e-mail alert setup with Mcaffee, and what I think may be happening, is that it was saving up the e-mails when it wasn't connected to the network. Then, after cleaning the machine, I reconnected to the network, and Mcaffee sent all it's saved up alert e-mails form the original scans. When I navigate to the windows directory listed, I don't "see" that mentioned file.

[miekiemoes]

Hi,

Just run the MalwareBytes scan, it should detect and delete if present.

[SuperCB]

Mcaffee alerts seem to have stopped. I'm sure they were just saved up from before. Anyway, Mbam scan only came up with one thing. Here's the log.

Malwarebytes' Anti-Malware 1.36
Database version: 2083
Windows 5.1.2600 Service Pack 3

5/6/2009 1:36:31 PM
mbam-log-2009-05-06 (13-36-31).txt

Scan type: Quick Scan
Objects scanned: 99164
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[miekiemoes]

Yes, as you say, that makes sense from McAfee.
If the malware was still present, then mbam should find it again - because it did in the first log you posted.
Also, as you see in the Combofix log, it was deleted.

Anyway, how are things now?

[SuperCB]

Everything looks good, thanks so much for the help!

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.