Jump to content

Malwarebytes

Vundo.IH invasion

- - - - -
Started by brit, Nov 01 2009 02:56 AM

12 replies to this topic

#1
brit
Posted 01 November 2009 - 02:56 AM

    New Member

  • Members
  • Pip
  • 7 posts
Picked up the Vundo.IH virus, which blocked my copy of malwarebytes. When I tried to load it, the computer said it couldn't fine the exe file. Windows Defender is blocked, I have to restart manually. It deleted the Symantec virus program, nasty piece of work it is. I downloaded AVG virus protection and it keeps finding Window\system32\zurufalo.dll and window\system2\lsass.exe as infected. It locks them in the vault, and after rebooting they're back to be locked up. I also get a pop-up window rundll stating it can't find window\system32\goyujumu.dll.

Hijack log is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:55 PM, on 10/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\SEA\snac.exe
C:\Program Files\Symantec\SEA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Symantec\SEA\SmcGui.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mfire.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal?...eLabel=customer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mFire
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizo.../IOBIVMUtil.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: nevorefa.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: yasikalut - {a759abb6-6194-429e-a63f-43cbc5ed8bb9} - (no file)
O21 - SSODL: nogiyesuw - {d3b6fa4b-7fe6-4e8c-b2ac-2d50b1752dcb} - (no file)
O21 - SSODL: negiligij - {86d99253-558e-4181-9523-c9ceb802d9fd} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {a759abb6-6194-429e-a63f-43cbc5ed8bb9} - (no file)
O22 - SharedTaskScheduler: jugezatag - {d3b6fa4b-7fe6-4e8c-b2ac-2d50b1752dcb} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {86d99253-558e-4181-9523-c9ceb802d9fd} - (no file)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Symantec Enforcement Agent 5.1 (SmcService) - Symantec Corporation - C:\Program Files\Symantec\SEA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:\Program Files\Symantec\SEA\snac.exe

--
End of file - 10271 bytes

#2
LDTate
Posted 01 November 2009 - 02:39 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,503 posts
  • Gender:Male
  • Location:Missouri, USA
Hello and welcome to the forums.

Stay with this topic until I give you the final 'All clean' post.


Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them


1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

You can now also try running MBAM now.
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3
brit
Posted 02 November 2009 - 02:45 PM

    New Member

  • Members
  • Pip
  • 7 posts
Things are tougher than I thought, can't download from your link, comes back as broken link.



View PostLDTate, on Nov 1 2009, 09:39 AM, said:

Hello and welcome to the forums.

Stay with this topic until I give you the final 'All clean' post.


Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them


1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

You can now also try running MBAM now.

#4
brit
Posted 02 November 2009 - 02:54 PM

    New Member

  • Members
  • Pip
  • 7 posts
Also tried exehelper.com, got some link page with links to various "sites" to help you fix your problem, but I think they're the ones that put the garbage on that causes the problems.


View PostLDTate, on Nov 1 2009, 09:39 AM, said:

Hello and welcome to the forums.

Stay with this topic until I give you the final 'All clean' post.


Vista users:
1. These tools MUST be run from the executable. (.exe)
2. With Admin Rights (Right click, choose "Run as Administrator") every time you run them


1) exeHelper
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

You can now also try running MBAM now.

#5
LDTate
Posted 03 November 2009 - 02:12 AM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,503 posts
  • Gender:Male
  • Location:Missouri, USA
You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Quote

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop. Include the word REGEDIT4

3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes.



Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O20 - AppInit_DLLs: nevorefa.dll
O21 - SSODL: yasikalut - {a759abb6-6194-429e-a63f-43cbc5ed8bb9} - (no file)
O21 - SSODL: nogiyesuw - {d3b6fa4b-7fe6-4e8c-b2ac-2d50b1752dcb} - (no file)
O21 - SSODL: negiligij - {86d99253-558e-4181-9523-c9ceb802d9fd} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {a759abb6-6194-429e-a63f-43cbc5ed8bb9} - (no file)
O22 - SharedTaskScheduler: jugezatag - {d3b6fa4b-7fe6-4e8c-b2ac-2d50b1752dcb} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {86d99253-558e-4181-9523-c9ceb802d9fd} - (no file)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#6
brit
Posted 03 November 2009 - 03:52 PM

    New Member

  • Members
  • Pip
  • 7 posts
Look as if things were running fine. I was able to get malware.exe to run (attached log). The AVG virus scan found only tracking cookies (locked way in the vault). Then the AVG resident shield alert pop up with a threat.

C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP1109\A2078675.dll

Trojan horse Vundo.II
Detected on open
Process name: C:\Windows\System32\svchost.exe
Process ID: 1992

Malware log:
Malwarebytes' Anti-Malware 1.41
Database version: 3092
Windows 5.1.2600 Service Pack 3

11/3/2009 10:40:39 AM
mbam-log-2009-11-03 (10-40-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 66698
Time elapsed: 1 hour(s), 40 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HIJACK log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:24 AM, on 11/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\SEA\snac.exe
C:\Program Files\Symantec\SEA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Symantec\SEA\SmcGui.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mfire.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal?...eLabel=customer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mFire
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizo.../IOBIVMUtil.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Symantec Enforcement Agent 5.1 (SmcService) - Symantec Corporation - C:\Program Files\Symantec\SEA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:\Program Files\Symantec\SEA\snac.exe

--
End of file - 9815 bytes


Really appreciate your help with this. Except for the AVG shield alert, the system seem fine, faster than it use to run.

View PostLDTate, on Nov 2 2009, 09:12 PM, said:

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


1. launch Notepad (Start>All Programs>Accessories), and copy/paste all the Quoted REGEDIT below to it. Don't forget to include REGEDIT4.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save




2. Save this text as fixme.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop. Include the word REGEDIT4

3. Double-click on fixme.reg. When it asks you to merge the information to the registry click Yes.



Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

O20 - AppInit_DLLs: nevorefa.dll
O21 - SSODL: yasikalut - {a759abb6-6194-429e-a63f-43cbc5ed8bb9} - (no file)
O21 - SSODL: nogiyesuw - {d3b6fa4b-7fe6-4e8c-b2ac-2d50b1752dcb} - (no file)
O21 - SSODL: negiligij - {86d99253-558e-4181-9523-c9ceb802d9fd} - (no file)
O22 - SharedTaskScheduler: tokatiluy - {a759abb6-6194-429e-a63f-43cbc5ed8bb9} - (no file)
O22 - SharedTaskScheduler: jugezatag - {d3b6fa4b-7fe6-4e8c-b2ac-2d50b1752dcb} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {86d99253-558e-4181-9523-c9ceb802d9fd} - (no file)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

#7
LDTate
Posted 04 November 2009 - 12:28 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,503 posts
  • Gender:Male
  • Location:Missouri, USA
Great. Lets keep going.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs


  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8
brit
Posted 04 November 2009 - 03:18 PM

    New Member

  • Members
  • Pip
  • 7 posts
Went smoothly, so far no threat warnings yet.

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:41 AM, on 11/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\SEA\snac.exe
C:\Program Files\Symantec\SEA\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\system32\HPConfig.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Symantec\SEA\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4nb.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.verizon.net/central/vzc.portal?...eLabel=customer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4nb.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\Hewlett-Packard\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: vzTCPConfig - http://www2.verizon.net/help/fios_settings...vzTCPConfig.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizo.../IOBIVMUtil.CAB
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Symantec Enforcement Agent 5.1 (SmcService) - Symantec Corporation - C:\Program Files\Symantec\SEA\smc.exe
O23 - Service: Symantec NAC Service (SNAC) - Symantec Corporation - C:\Program Files\Symantec\SEA\snac.exe

--
End of file - 9347 bytes

Combo log:ComboFix 09-11-03.03 - Owner 11/04/2009 8:35.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.457 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-2477159928-99394301-3556794077-1003
c:\recycler\S-1-5-21-507921405-1563985344-854245398-1003
c:\windows\MailSwitch.ocx
c:\windows\system32\abafojok.ini
c:\windows\system32\denufudu.dll
c:\windows\system32\gokuteho.dll
c:\windows\system32\kedawubo.dll
c:\windows\system32\kenahozi.dll
c:\windows\system32\lewuseze.dll
c:\windows\system32\piyiliwa.dll
c:\windows\system32\umoguzis.ini
c:\windows\system32\unagumov.ini
c:\windows\Tasks\zgvvqsbh.job

----- BITS: Possible infected sites -----

hxxp://82.98.231.99
.
((((((((((((((((((((((((( Files Created from 2009-10-04 to 2009-11-04 )))))))))))))))))))))))))))))))
.

2009-11-01 12:30 . 2009-11-01 12:33 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2009-11-01 02:40 . 2009-11-01 02:40 -------- d-----w- c:\program files\Trend Micro
2009-11-01 02:30 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-01 02:30 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-01 02:30 . 2009-11-03 13:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 20:56 . 2009-10-31 21:09 -------- d-----w- C:\$AVG
2009-10-31 20:56 . 2009-10-31 20:56 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-31 20:56 . 2009-10-31 20:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-31 20:55 . 2009-10-31 20:55 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-31 20:55 . 2009-10-31 20:55 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-31 20:55 . 2009-11-03 23:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-31 20:55 . 2009-11-01 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-31 20:54 . 2009-10-31 20:54 -------- d-----w- c:\program files\AVG
2009-10-31 20:54 . 2009-11-01 12:29 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-31 20:03 . 2009-10-31 20:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-31 17:07 . 2009-10-31 17:07 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-10-31 17:05 . 2009-10-31 20:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2009-10-31 17:05 . 2009-10-31 20:56 -------- d-----w- c:\documents and settings\Administrator
2009-10-29 21:00 . 2009-10-29 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-10-29 21:00 . 2009-10-31 19:51 -------- d-----w- c:\program files\XoftSpySE6
2009-10-29 20:59 . 2009-10-31 20:04 -------- d-----w- c:\program files\trash
2009-10-29 20:56 . 2009-10-30 13:02 -------- d-----w- c:\program files\junk
2009-10-28 13:31 . 2009-10-28 13:31 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-10-28 13:28 . 2009-10-28 13:33 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2009-10-28 13:23 . 2009-04-16 18:08 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2009-10-20 23:00 . 2009-10-20 23:00 -------- d-----w- c:\program files\MSXML 4.0
2009-10-19 21:06 . 2009-11-04 13:24 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2009-10-19 17:55 . 2009-10-19 21:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-10-19 17:51 . 2009-10-19 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-10-19 17:50 . 2009-10-19 17:50 -------- d-----w- c:\program files\Common Files\HP
2009-10-19 17:48 . 2009-10-28 13:28 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-10-19 17:47 . 2009-02-11 11:03 966656 ----a-w- c:\windows\system32\hpost_p02c.dll
2009-10-19 17:47 . 2009-02-11 11:03 712704 ----a-w- c:\windows\system32\hposwia_p02c.dll
2009-10-19 17:47 . 2009-02-11 11:03 315392 ----a-w- c:\windows\system32\hposc_p02a.dll
2009-10-19 17:47 . 2008-10-29 00:27 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2009-10-19 17:47 . 2008-10-29 00:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2009-10-19 17:46 . 2009-04-16 11:53 452408 ----a-w- c:\windows\system32\hpzids01.dll
2009-10-19 17:44 . 2009-10-19 17:51 -------- d-----w- c:\program files\HP
2009-10-19 17:42 . 2009-10-28 13:33 195384 ----a-w- c:\windows\hpoins43.dat
2009-10-19 17:42 . 2009-06-12 00:34 675 ------w- c:\windows\hpomdl43.dat
2009-10-18 21:50 . 2009-10-18 21:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 19:51 . 2009-10-31 19:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\InterTrust
2009-10-31 19:51 . 2009-10-31 19:51 -------- d-----w- c:\program files\Common Files\XoftSpySE
2009-10-31 19:51 . 2009-10-31 19:51 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-10-31 19:51 . 2009-10-31 19:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-10-31 19:51 . 2003-08-11 05:51 -------- d-----w- c:\program files\NavNT
2009-10-31 19:49 . 2003-08-11 05:51 -------- d-----w- c:\program files\Symantec
2009-10-19 20:56 . 2004-08-26 23:28 63632 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-19 17:55 . 2008-08-31 12:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-10-19 17:53 . 2002-12-17 22:36 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-18 21:57 . 2002-12-17 22:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-18 16:34 . 2004-06-30 00:25 -------- d-----w- c:\program files\OpenOffice.org1.1.2
2009-10-02 17:37 . 2006-04-24 18:26 -------- d-----w- c:\program files\Nortel Networks
2009-10-01 14:29 . 2009-10-02 22:01 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-11 14:18 . 2002-08-29 02:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-08-29 02:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-24 00:32 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2002-08-29 02:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2002-08-29 02:00 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-06 23:24 . 2004-08-16 20:40 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-16 20:40 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-16 20:40 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2002-08-29 02:00 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2002-08-29 02:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-16 20:40 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2002-08-29 02:00 1929952 ----a-w- c:\windows\system32\wuaueng.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 16:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-22 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-10-31 2010904]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic Professional 6\

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CMPDPSRV.EXE"=
"c:\\Program Files\\Nortel Networks\\Extranet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\Yahoo!\\browser\\ycommon.exe"=
"c:\\Program Files\\NavNT\\vptray.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Windows Defender\\MsMpEng.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/31/2009 3:55 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/31/2009 3:56 PM 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/31/2009 3:54 PM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/31/2009 3:54 PM 285392]
R3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [8/2/2002 2:41 PM 47660]
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;c:\windows\system32\drivers\caliaud.sys [2/17/2004 4:58 PM 291328]
R3 CALIHALA;CALIHALA;c:\windows\system32\drivers\calihal.sys [2/17/2004 4:59 PM 244608]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [4/24/2006 1:26 PM 9049]
R3 LEX_NIC_SERVICE;IEEE 802.11 Wireless NIC Win2000 Driver;c:\windows\system32\drivers\Express.sys [10/16/2002 8:00 PM 57344]
S0 eijxnq;eijxnq;c:\windows\system32\drivers\dvsm.sys --> c:\windows\system32\drivers\dvsm.sys [?]
S0 qcskmkt;qcskmkt;c:\windows\system32\drivers\jldntns.sys --> c:\windows\system32\drivers\jldntns.sys [?]
S2 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [4/24/2006 1:26 PM 115008]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;c:\windows\system32\drivers\DP83815.sys [8/28/2002 7:00 PM 16512]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-04 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2002-08-29 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.verizon.net/central/vzc.portal?_nfpb=true&_pageLabel=customer
uDefault_Search_URL = hxxp://srch-us4nb.hpwis.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://srch-us4nb.hpwis.com/
mWindow Title = mFire
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} - hxxps://www36.verizon.com/voip/downloads/IOBIVMUtil.CAB
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -

AddRemove-SimAntv1.0 - c:\maxis\SimAnt\DeIsL1.isu
AddRemove-SimParkv1.0 - c:\maxis\SimPark\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 08:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)
c:\program files\Symantec\SEA\SnacNp.dll
c:\windows\System32\NavLogon.dll

- - - - - - - > 'explorer.exe'(3076)
c:\windows\system32\WININET.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Symantec\SEA\SnacNp.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Symantec\SEA\snac.exe
c:\program files\Symantec\SEA\smc.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\NavNT\defwatch.exe
c:\program files\Common Files\Authentium\AntiVirus\dvpapi.exe
c:\windows\system32\HPConfig.exe
c:\program files\HPQ\Notebook Utilities\HPWirelessMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\NavNT\rtvscan.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\MsgSys.EXE
c:\program files\Symantec\SEA\SmcGui.exe
.
**************************************************************************
.
Completion time: 2009-11-04 9:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-04 14:07

Pre-Run: 17,868,881,920 bytes free
Post-Run: 18,005,569,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

Thanks again.








View PostLDTate, on Nov 4 2009, 07:28 AM, said:

Great. Lets keep going.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs


  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

#9
LDTate
Posted 04 November 2009 - 05:01 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,503 posts
  • Gender:Male
  • Location:Missouri, USA
There are a couple drivers I can't find much information on. We need to check them out.

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\dvsm.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.


Do the same for:

c:\windows\system32\drivers\jldntns.sys


If virscan.org is too busy you can try these.

http://virscan.org/

http://www.kaspersky...anforvirus.html


http://www.virustota.../en/indexf.html
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#10
brit
Posted 05 November 2009 - 05:57 PM

    New Member

  • Members
  • Pip
  • 7 posts
Both of those files came back as being empty. I haven't rec'd any threat alerts (1st time in over a week), however, it take a long time for a browser page to initally open to my verizon homepage. Once opened, new page load quickly. Not sure what that means, could be the server for verizon is busy?




View PostLDTate, on Nov 4 2009, 12:01 PM, said:

There are a couple drivers I can't find much information on. We need to check them out.

Please go to http://virusscan.jotti.org, click on Browse, and upload the following file for analysis:

c:\windows\system32\drivers\dvsm.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.


Do the same for:

c:\windows\system32\drivers\jldntns.sys


If virscan.org is too busy you can try these.

http://virscan.org/

http://www.kaspersky...anforvirus.html


http://www.virustota.../en/indexf.html

#11
LDTate
Posted 05 November 2009 - 09:34 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,503 posts
  • Gender:Male
  • Location:Missouri, USA
Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
c:\windows\system32\drivers\dvsm.sys 
c:\windows\system32\drivers\jldntns.sys

Driver::
eijxnq
qcskmkt

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook

#12
brit
Posted 07 November 2009 - 01:41 PM

    New Member

  • Members
  • Pip
  • 7 posts
Like to do that, but..............Now when my cumputer boots it states there is no operating system! I tried pressing f8 for safe mode, nothing, tried pressing escape to boot from harddrive, nothing. I'm not sure if this was a result of the virus, or the harddrive gave up the ghost. The computer is almost 6 yrs old.

Any sugguestions?


View PostLDTate, on Nov 5 2009, 04:34 PM, said:

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text. 

File::
c:\windows\system32\drivers\dvsm.sys 
c:\windows\system32\drivers\jldntns.sys

Driver::
eijxnq
qcskmkt

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

#13
LDTate
Posted 07 November 2009 - 09:08 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 15,503 posts
  • Gender:Male
  • Location:Missouri, USA
http://www.michaelst...pairinstall.htm
Larry Tate
Consumer Support Specialist

Posted Image

Follow us: Twitter, Become a fan: Facebook
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us