6 replies to this topic

[mlainson]

Good morning and thank you so much in advance! I have worked on getting rid of Security Tools for over a week now. Downloaded and purchased Spyware Doctor because it advertised that it could fix Security Tools, but didn't. Found MalwareBytes through some message boards and finally got it installed by renaming the executable and sneaking it in. Each time I run a scan, it says everything is fixed. I have done this over and over and last night got an "all clear". The computer was not turned off during the night, and when I woke up this morning, Security Tools was back! Grrrrrr

I rebooted and very quickly ran MalwareBytes again (it is the only thing that seems to fix this thing! THANK YOU!!) Log is attached. Then I downloaded the latest ComboFix and ran it. I stopped everything (per instructions) that I could on AVG 8, but ComboFix said part of it was still running. I could not stop it, not even through Task Manager. Combo Fix log is attached.

Then I downloaded and ran HiJack This. Log is attached. Thank you SO much! A POX on the head of the scum-sucking trash that is putting this stuff out!

Malwarebytes' Anti-Malware 1.41
Database version: 2948
Windows 5.1.2600 Service Pack 3

10/13/2009 5:39:26 AM
mbam-log-2009-10-13 (05-39-26).txt

Scan type: Quick Scan
Objects scanned: 102759
Time elapsed: 7 minute(s), 39 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
C:\Documents and Settings\All Users\Application Data\62047928\62047928.exe (Rogue.SecurityTool) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\tubiwewa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{15da66b2-772b-47a0-8f36-18abd1338d1e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vawalamow (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62047928 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{15da66b2-772b-47a0-8f36-18abd1338d1e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\biletimuz (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tubiwewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tubiwewa.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\62047928 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\tubiwewa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\62047928\62047928.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gehiraso.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\Eric\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

ComboFix Log:
ComboFix 09-10-12.03 - Eric 10/13/2009 5:56.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.561 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kegezadu.dll
c:\windows\system32\kelesopu.dll
c:\windows\system32\layejuso.dll
c:\windows\system32\pisefire.dll
c:\windows\system32\sobipore.dll
c:\windows\system32\sutojude.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-09 19:01 . 2009-10-09 19:01 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-10-09 12:49 . 2009-10-09 12:49 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WMTools Downloaded Files
2009-10-08 22:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 22:43 . 2009-10-11 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 22:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 00:57 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-08 00:57 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-08 00:57 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-08 00:56 . 2009-10-08 00:58 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-08 00:56 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-08 00:56 . 2009-10-12 16:09 -------- d-----w- c:\program files\Spyware Doctor
2009-10-08 00:02 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-10-03 22:02 . 2009-10-03 22:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-27 03:26 . 2009-09-27 03:26 -------- d-sh--w- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-12 20:20 . 2009-05-26 16:13 34800 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 20:16 . 2006-05-20 17:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 20:13 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 20:10 . 2006-05-20 17:00 -------- d-----w- c:\program files\Common Files\Corel
2009-10-12 17:55 . 2009-10-08 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-10-08 00:43 . 2009-10-08 00:22 -------- d-----w- c:\program files\winlogon
2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 03:24 . 2009-05-26 21:01 -------- d-----w- c:\program files\Yahoo! Games
2009-09-12 17:58 . 2009-05-29 22:20 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-12 17:58 . 2009-05-29 22:20 88 --sh--r- c:\windows\system32\3EF6841A13.sys
2009-08-27 00:13 . 2009-05-26 16:42 -------- d-----w- c:\documents and settings\Eric\Application Data\AdobeUM
2009-08-23 13:18 . 2009-05-26 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 13:18 . 2009-05-26 20:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 13:18 . 2009-05-26 20:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-19 15:34 . 2009-08-19 15:33 -------- d-----w- c:\program files\iTunes
2009-08-19 15:33 . 2009-08-19 15:33 -------- d-----w- c:\program files\iPod
2009-08-19 15:33 . 2009-05-27 16:07 -------- d-----w- c:\program files\Common Files\Apple
2009-08-14 11:58 . 2009-10-08 00:57 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 00:24 . 2004-08-10 18:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-10 18:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-10 18:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-10 18:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-10 17:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-10 18:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2009-05-27 14:36 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-08-10 18:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2004-08-10 17:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-09 21:45 . 2009-07-09 21:45 50688 --sha-w- c:\windows\system32\dehaseha.dll.tmp
2009-07-08 09:44 . 2009-07-08 09:44 38400 --sha-w- c:\windows\system32\godanihe.dll
2009-07-09 09:44 . 2009-07-09 09:44 38912 --sha-w- c:\windows\system32\hawajifi.dll
2009-07-09 21:44 . 2009-07-09 21:44 50688 --sha-w- c:\windows\system32\hojahuge.dll
2009-07-07 14:31 . 2009-07-07 14:31 37376 --sha-w- c:\windows\system32\meruyuva.dll
2009-07-09 21:44 . 2009-07-09 21:44 38400 --sha-w- c:\windows\system32\tuwefake.dll
2009-07-12 15:44 . 2009-07-12 15:44 51712 --sha-w- c:\windows\system32\vetahadu.dll
2009-07-08 21:43 . 2009-07-08 21:43 37888 --sha-w- c:\windows\system32\yuterahi.dll
2009-07-12 15:43 . 2009-07-12 15:43 51712 --sha-w- c:\windows\system32\zufajudi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49abb7e8-dda5-4080-9a46-37fc2e15c28d}]
2009-07-12 15:44 51712 --sha-w- c:\windows\system32\vetahadu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-20 26112]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-5-20 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-20 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_2_6.EXE"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe"=
"c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"=
"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mimboot.exe"=
"c:\\Program Files\\America Online 9.0\\aoltray.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/7/2009 7:57 PM 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2009 3:24 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2009 3:24 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/26/2009 3:24 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/26/2009 3:24 PM 297752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/7/2009 7:56 PM 348824]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-13 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D6YGJ0B1-Eric).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-20 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-dabuluzipi - niwaluyu.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-13 06:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(416)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-13 6:09 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-13 11:09

Pre-Run: 40,611,393,536 bytes free
Post-Run: 40,530,321,408 bytes free

221 --- E O F --- 2009-10-13 11:08

HiJack This Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:16 AM, on 10/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Eric\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - (no file)
O2 - BHO: (no name) - {49abb7e8-dda5-4080-9a46-37fc2e15c28d} - vetahadu.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243419416828
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: wehebopa.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 10310 bytes

[sUBs]

Quote

Downloaded and purchased xxx scanner because it advertised that it could fix Security Tools, but didn't

Ask for your money back


------------



Delete any existing copy of ComboFix.exe and then visit this webpage for instructions for downloading a fresh one:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

[mlainson]

You can bet I'm gonna do that - and guess which one I'm going to buy

Here is the newest ComboFix log. THANK YOU THANK YOU THANK YOU!

ComboFix 09-10-15.01 - Eric 10/15/2009 17:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.487 [GMT -5:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\85760430
c:\documents and settings\All Users\Application Data\85760430\85760430.bat
c:\documents and settings\All Users\Application Data\85760430\85760430.exe
c:\windows\system32\dehaseha.dll.tmp
c:\windows\system32\fujewipe.dll
c:\windows\system32\gerogije.dll
c:\windows\system32\godanihe.dll
c:\windows\system32\hawajifi.dll
c:\windows\system32\hojahuge.dll
c:\windows\system32\husugudi.dll
c:\windows\system32\meruyuva.dll
c:\windows\system32\mirikiri.dll
c:\windows\system32\punehomi.dll
c:\windows\system32\tuwefake.dll
c:\windows\system32\vajoneyo.dll
c:\windows\system32\vetahadu.dll.tmp
c:\windows\system32\wamejawe.dll
c:\windows\system32\yubiwojo.dll
c:\windows\system32\yuterahi.dll
c:\windows\system32\zufajudi.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 22:40 . 2009-10-15 22:41 -------- d-----w- C:\Combo-Fix
2009-10-15 02:12 . 2009-10-15 02:14 -------- d-----w- c:\program files\Windows Live Safety Center
2009-10-09 19:01 . 2009-10-09 19:01 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-10-09 12:49 . 2009-10-09 12:49 -------- d-----w- c:\documents and settings\Eric\Local Settings\Application Data\WMTools Downloaded Files
2009-10-08 22:43 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-08 22:43 . 2009-10-11 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 22:43 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-08 00:57 . 2008-12-11 13:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-08 00:57 . 2009-08-24 19:05 206256 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-08 00:57 . 2009-08-19 16:01 86888 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-10-08 00:56 . 2009-10-08 00:58 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-08 00:56 . 2008-12-10 16:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-10-08 00:56 . 2009-10-14 23:38 -------- d-----w- c:\program files\Spyware Doctor
2009-10-08 00:02 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2009-10-03 22:02 . 2009-10-03 22:02 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-27 03:26 . 2009-09-27 03:26 -------- d-sh--w- c:\windows\ftpcache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-15 22:27 . 2009-10-08 00:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-14 23:17 . 2009-05-26 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-12 20:20 . 2009-05-26 16:13 34800 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 20:16 . 2006-05-20 17:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-12 20:13 . 2006-05-20 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-12 20:10 . 2006-05-20 17:00 -------- d-----w- c:\program files\Common Files\Corel
2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-10-08 00:56 . 2009-10-08 00:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\PC Tools
2009-10-08 00:43 . 2009-10-08 00:22 -------- d-----w- c:\program files\winlogon
2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-08 00:22 . 2009-10-08 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-27 03:24 . 2009-05-26 21:01 -------- d-----w- c:\program files\Yahoo! Games
2009-09-12 17:58 . 2009-05-29 22:20 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-09-12 17:58 . 2009-05-29 22:20 88 --sh--r- c:\windows\system32\3EF6841A13.sys
2009-09-11 14:18 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-10 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-10 17:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-27 00:13 . 2009-05-26 16:42 -------- d-----w- c:\documents and settings\Eric\Application Data\AdobeUM
2009-08-26 08:00 . 2004-08-10 17:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-23 13:18 . 2009-05-26 20:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-23 13:18 . 2009-05-26 20:24 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-23 13:18 . 2009-05-26 20:24 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-19 15:34 . 2009-08-19 15:33 -------- d-----w- c:\program files\iTunes
2009-08-19 15:33 . 2009-08-19 15:33 -------- d-----w- c:\program files\iPod
2009-08-19 15:33 . 2009-05-27 16:07 -------- d-----w- c:\program files\Common Files\Apple
2009-08-07 00:24 . 2004-08-10 18:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-10 18:02 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2008-10-16 19:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-10 18:02 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-08-10 18:02 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-08-10 17:50 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-10 18:02 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2009-05-27 14:36 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2008-10-16 19:07 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-08-10 18:02 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-10 17:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-07-15 22:40 . 2009-07-15 22:40 1090082 --sha-w- c:\windows\system32\roloropo.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-09-02 16:58 1107200 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-09-02 1107200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DellTransferAgent"="c:\documents and settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-09 8192]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-09 110592]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Corel Photo Downloader"="c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe" [2006-02-09 106496]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-08-18 999424]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-03 2023704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-05-20 26112]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-07-13 1117184]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-07-12 110592]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2005-08-26 212992]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2006-5-20 156784]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-20 24576]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-23 13:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\LuComServer_2_6.EXE"=
"c:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe"=
"c:\\WINDOWS\\system32\\DLA\\DLACTRLW.EXE"=
"c:\\Program Files\\MUSICMATCH\\Musicmatch Jukebox\\mimboot.exe"=
"c:\\Program Files\\America Online 9.0\\aoltray.exe"=
"c:\\Program Files\\Canon\\MyPrinter\\BJMYPRT.EXE"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [10/7/2009 7:57 PM 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/26/2009 3:24 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/26/2009 3:24 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/26/2009 3:24 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/26/2009 3:24 PM 297752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [10/7/2009 7:56 PM 348824]
.
Contents of the 'Scheduled Tasks' folder

2009-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-15 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (D6YGJ0B1-Eric).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-20 23:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: musicmatch.com\online
.
- - - - ORPHANS REMOVED - - - -

BHO-{49abb7e8-dda5-4080-9a46-37fc2e15c28d} - gerogije.dll
HKLM-Run-85760430 - c:\documents and settings\All Users\Application Data\85760430\85760430.exe
HKLM-Run-vawalamow - c:\windows\system32\yubiwojo.dll
HKLM-Run-dabuluzipi - husugudi.dll
SharedTaskScheduler-{4caf3005-e5f3-41c5-a68e-f35e7acbe290} - c:\windows\system32\yubiwojo.dll
SSODL-jatumamey-{4caf3005-e5f3-41c5-a68e-f35e7acbe290} - c:\windows\system32\yubiwojo.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-15 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\VSO\McShield.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\progra~1\MUSICM~1\MUSICM~3\MMDiag.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-15 17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 22:58
ComboFix2.txt 2009-10-13 11:09

Pre-Run: 43,614,420,992 bytes free
Post-Run: 43,568,259,072 bytes free

241 --- E O F --- 2009-10-15 22:24

[sUBs]

c:\program files\winlogon -- this appears to be something you created. I'm going to ignore that


c:\windows\system32\roloropo.exe - this one can be manually deleted. It won't resist deletion. Just be careful not to double click on it.


----------



ESET Online Scanner

• Please go to the following link ESET Online Scanner Link
  
• Tick the box YES, I accept the Terms Of Use
  
• Click the Start button
  
• Now click the Install button
  
• Click Start
  
  The scanner engine will initialise and update
  
  
• Do Not tick the box Remove found threats
  
• Click the Scan button
  
  The scan will now run, please be patient
  
  
• When the scan finishes click the Details tab
  
• Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

[mlainson]

You are right! Winlogon was Malwarebytes renamed when I was trying to sneak it in. I deleted it, and also deleted c:\windows\system32\roloropo.exe.

Here are the results of the ESET scan:

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\85760430\85760430.exe.vir a variant of Win32/Kryptik.AVG trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dehaseha.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\gerogije.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\system32\godanihe.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hawajifi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hojahuge.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\husugudi.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\system32\meruyuva.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\mirikiri.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\system32\punehomi.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuwefake.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\vajoneyo.dll.vir Win32/Adware.Virtumonde.NFT application
C:\Qoobox\Quarantine\C\WINDOWS\system32\vetahadu.dll.tmp.vir a variant of Win32/Adware.SuperJuan.F application
C:\Qoobox\Quarantine\C\WINDOWS\system32\wamejawe.dll.vir a variant of Win32/AntiAV.NCZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\yuterahi.dll.vir a variant of Win32/Adware.Virtumonde.NFR application
C:\Qoobox\Quarantine\C\WINDOWS\system32\zufajudi.dll.vir a variant of Win32/Adware.SuperJuan.F application
C:\RECYCLER\S-1-5-21-518518524-701283741-3043286967-1006\Dc2.exe a variant of Win32/Kryptik.AVG trojan

Thank you again!

[sUBs]

Of the stuff found,

C:\RECYCLER\S-1-5-21-518518524-701283741-3043286967-1006\Dc2.exe is that roloropo.exe you just deleted.

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix



I don't think Security Tool is coming back

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

• Uninstall ComboFix ... do not skip this step
  This process will perform some post cleanup measures.
  Do this by going to to Start > Run & typing in ComboFix /u
  
  
  
  
• ANTIVIRUS SOFTWARE
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
  
  
• Microsoft Windows Update → http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
  
• http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
  
• http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[mlainson]

I don't know what else to say but offer you my humble thanks. We will, for sure, follow your tips for safer surfing. In fact, I'm going right now to set his default browser to Firefox. I've already taken care of some of your other suggestions.

Once again...thank you. You RAWK!