10 replies to this topic

[adoman28]

Hi. I managed to get infected with AntiVirus 2008, and have been able to remove most of it on my own. However, there are 3 items of malware which reappear every time I remove them. I did some research and it sounds as though it's a common problem. The 3 malware items are...

Trojan.Metajuan
Malware.Trace
Trojan.Agent

However, just recently MalwareBytes stopped finding Trojan.Metajuan and Malware.Trace. I didn't do anything to remove them, they just seem to have disappeared. They were replaced by Trojan.Agent which I hadn't been infected with before.

Here are my logs.



Malwarebytes' Anti-Malware 1.30
Database version: 1416
Windows 5.1.2600 Service Pack 2

11/22/2008 7:55:37 PM
mbam-log-2008-11-22 (19-55-37).txt

Scan type: Quick Scan
Objects scanned: 49274
Time elapsed: 1 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wuliwotoga (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-11-23 00:46:53
PROTECTIONS: 0
MALWARE: 7
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@doubleclick[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.clickbank.net/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.apmebf.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\cookies.txt[.advertising.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@target[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Alex Doman\Cookies\alex doman@atwola[1].txt
01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:32 AM, on 11/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\America's Army Deploy Client\AADeployClient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {0658162D-5D22-4D14-AC7A-7C9117F7E7E3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {85E42802-0731-4B3A-8463-1CEF26739D35} - (no file)
O2 - BHO: (no name) - {92978f32-d9df-4444-97ad-3c52473d0faa} - (no file)
O2 - BHO: (no name) - {9B61D337-2B6B-49FE-BD23-2F812029B8E4} - (no file)
O2 - BHO: (no name) - {A152B8B9-EE56-413D-A0A4-DBE5B8CB2DA6} - (no file)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: (no name) - {d2a7209a-f098-4054-bd47-e67f5a15afae} - C:\WINDOWS\system32\pamukuhu.dll (file missing)
O2 - BHO: (no name) - {d34be5ba-393e-4d99-860e-726f16ee669c} - (no file)
O3 - Toolbar: (no name) - {5DEF05FD-97CC-4EAE-A4E9-000062CB0C25} - (no file)
O4 - HKLM\..\Run: [Switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\mcupdate_1221902523.exe /insfin C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\mcupdate_1221902523.ini
O4 - HKUS\S-1-5-19\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O20 - AppInit_DLLs: imqrcf.dll bagipo.dll C:\WINDOWS\system32\nobiwuna.dll
O20 - Winlogon Notify: hgGyyxyY - C:\WINDOWS\
O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7327 bytes




Any help is appreciated.

Thanks!!

[Maurice Naggar]

Hello adoman28 .

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member adoman28 only. If you are a lurker, do NOT try this on your system!
If you are not adoman28 and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
I do not see an antivirus program running on your system. Do you have one? If yes, make sure it is active. If not, get an antivirus program installed as your first priority.
If cost is an issue, you may get Avira AntiVir free edition (for personal non-commercial use)
http://www.free-av.com

=
Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O2 - BHO: (no name) - {d2a7209a-f098-4054-bd47-e67f5a15afae} - C:\WINDOWS\system32\pamukuhu.dll (file missing)

O4 - HKLM\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s

O4 - HKUS\S-1-5-19\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [wuliwotoga] Rundll32.exe "C:\WINDOWS\system32\humerago.dll",s (User 'NETWORK SERVICE')

O20 - Winlogon Notify: hgGyyxyY - C:\WINDOWS\

O24 - Desktop Component 0: Privacy Protection - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

=
Next, we're going to use OTMoveIt3 to remove files.
Please download the OTMoveIt3 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  C:\WINDOWS\system32\humerago.dll
  C:\WINDOWS\system32\pamukuhu.dll 
  
  :services
  wuliwotoga
  
  :commands
  [EmptyTemp]
  [start explorer]

  
  
• Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

=
Important! :arrow: Open Notepad > Click on Format > Uncheck Word wrap, if checked. Exit Notepad.
=
Next, Close all applications and windows.
If you have an older copy of SDFix, delete it now.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual user account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
  
• Type Y to begin the cleanup process.
  
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  
• Press any Key and it will restart the PC.
  
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  
• Finally paste the contents of the Report.txt back in a Reply here.

=
Next: If you have a prior copy of SmitFraudFix, delete it now :!:
Please download SmitfraudFix (by S!Ri)

Don't download SmitfraudFix until you're ready to run/use it. It's very important that you be using the most recent version (v2.378 as of this post).

Extract the contents of the zip file (a folder named SmitfraudFix) to your Desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual user account.

1. Once in Safe Mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

2. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

3. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

4. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

5. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

6. A text file will appear onscreen with results from the cleaning process. Please copy/paste the content of that report into your next reply along with the Report.txt from above.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

• process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  
  
• Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, you're infected :twisted:

=
If you have a prior copy of Combofix, delete it now :!:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.

=
Reply back with copy of

• the Report.txt from above,
  
• the MBAM report,
  
• C:\rapport.txt from SmitFraudFix run,
  
• C:\Combofix.txt
  
• and a new Hijackthis log {after running a new HJT Scan And Save}
  
• and, Tell me, How is your system now :?:

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.

[adoman28]

Thanks for your reply Maurice Naggar. Sorry it's taken me a few days to reply, I was out of town.

Anyway, I downloaded and installed the free antivirus program you linked to, I was able to use HJT to fix the items you suggested, and I successfully ran OTMoveIt3, all without difficulty. The OTMoveIt3 log follows.


========== FILES ==========
File/Folder C:\WINDOWS\system32\humerago.dll not found.
File/Folder C:\WINDOWS\system32\pamukuhu.dll not found.
========== SERVICES/DRIVERS ==========
Unable to stop service wuliwotoga .
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.7.1 log created on 11302008_152701

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.




However, that's as far as I got before I ran into problems. I downloaded SDFix.exe, extracted it, and restarted in safe mode. When I run it, it says...


Starting Repairs
Checking Running Processes and Services


After that, the program stalls. My HD light stops blinking, and progress stops.

I decided not to go through any of the other steps you suggested until I okay it with you.


Again, thanks for the help!!

[Maurice Naggar]

Have plenty ( a lot) of patience with the tools I have you use, most especially with SDFix, SmitfraudFix and Combofix.
Even if you do not see any hard drive light activity, the utilities are running.
I would have given at least 30 minutes before thinking SDFix "might" have been stuck.

Please try again running SDFIX in Safe mode (as per prior directions) ---with patience.
If and only if it may get stuck, proceed with the next steps to SmitFraudfix & the next for Combofix.
It is important to keep going forward.

[adoman28]

Alright. I completed all the steps that you suggested and everything appears to be gone. ComboFix did the trick. SDFix was getting stuck. I let it run for a good 4 hours and nothing happened. It was the same situation with SmitfraudFix, which I let run overnight, and again, nothing happened.

I already posted the the log for OTMoveIt3 above. Here's a new MBAM log.



Malwarebytes' Anti-Malware 1.30
Database version: 1416
Windows 5.1.2600 Service Pack 2

12/3/2008 1:04:08 AM
mbam-log-2008-12-03 (01-04-08).txt

Scan type: Quick Scan
Objects scanned: 46508
Time elapsed: 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here's the ComboFix log.



ComboFix 08-12-01.03 - Alex Doman 2008-12-03 0:44:54.1 - NTFSx86
Running from: c:\documents and settings\Alex Doman\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\IE4 Error Log.txt
c:\windows\system32\daharubo.dll
c:\windows\system32\drfpsowc.ini
c:\windows\system32\elopaban.ini
c:\windows\system32\gebojele.dll
c:\windows\system32\hmdspebv.ini
c:\windows\system32\javinete.dll
c:\windows\system32\jowofebi.dll
c:\windows\system32\kadageko.dll
c:\windows\system32\nabapole.dll
c:\windows\system32\odamobis.ini
c:\windows\system32\okegadak.ini
c:\windows\system32\patowvfx.ini
c:\windows\system32\pusupuro.dll
c:\windows\system32\result.txt
c:\windows\system32\rprklkyk.ini
c:\windows\system32\sndpqnod.ini
c:\windows\system32\tokivafa.dll
c:\windows\system32\tolataga.dll
c:\windows\system32\tomuzipu.dll
c:\windows\system32\tudopupa.dll
c:\windows\system32\vigalefe.dll
c:\windows\system32\widinole.dll
c:\windows\system32\wurubawu.dll
c:\windows\system32\yipiwopa.dll
c:\windows\system32\yosimanu.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-02 02:34 . 2007-09-05 23:22 289,144 --a--c--- c:\windows\system32\VCCLSID.exe
2008-12-02 02:34 . 2006-04-27 16:49 288,417 --a--c--- c:\windows\system32\SrchSTS.exe
2008-12-02 02:34 . 2008-10-01 14:51 87,552 --a--c--- c:\windows\system32\VACFix.exe
2008-12-02 02:34 . 2008-11-29 17:58 82,944 --a--c--- c:\windows\system32\o4Patch.exe
2008-12-02 02:34 . 2008-05-18 20:40 82,944 --a--c--- c:\windows\system32\IEDFix.exe
2008-12-02 02:34 . 2008-11-29 17:58 82,944 --a--c--- c:\windows\system32\IEDFix.C.exe
2008-12-02 02:34 . 2008-08-18 11:19 82,432 --a--c--- c:\windows\system32\404Fix.exe
2008-12-02 02:34 . 2003-06-05 20:13 53,248 --a--c--- c:\windows\system32\Process.exe
2008-12-02 02:34 . 2004-07-31 17:50 51,200 --a--c--- c:\windows\system32\dumphive.exe
2008-12-02 02:34 . 2007-10-03 23:36 25,600 --a--c--- c:\windows\system32\WS2Fix.exe
2008-11-30 22:21 . 2008-11-30 22:21 <DIR> d----c--- c:\documents and settings\Administrator
2008-11-30 22:18 . 2008-12-01 17:48 <DIR> d----c--- C:\SDFix
2008-11-30 15:37 . 2008-11-30 15:37 <DIR> d----c--- c:\windows\ERUNT
2008-11-30 15:23 . 2008-11-30 15:23 <DIR> d----c--- C:\_OTMoveIt
2008-11-30 15:07 . 2008-11-30 15:07 <DIR> d----c--- c:\program files\Avira
2008-11-30 15:07 . 2008-11-30 15:07 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Avira
2008-11-20 16:44 . 2008-11-20 16:44 <DIR> d----c--- c:\program files\Trend Micro
2008-11-20 16:40 . 2008-11-20 16:43 <DIR> d----c--- c:\program files\Spybot - Search & Destroy
2008-11-20 16:34 . 2008-11-20 16:34 <DIR> d----c--- c:\program files\Panda Security
2008-11-20 16:34 . 2008-06-19 17:24 28,544 --a--c--- c:\windows\system32\drivers\pavboot.sys
2008-11-18 02:12 . 2008-11-18 23:52 <DIR> d----c--- c:\program files\America's Army Deploy Client
2008-11-18 02:12 . 2008-11-18 02:17 <DIR> d----c--- c:\documents and settings\All Users\Application Data\America's Army Deploy Client
2008-11-05 23:19 . 2008-03-05 15:56 3,786,760 --a--c--- c:\windows\system32\d3dx9_37.dll
2008-11-05 23:16 . 2008-11-05 23:27 <DIR> d--h-c--- c:\windows\msdownld.tmp
2008-11-05 23:16 . 2008-11-05 23:16 <DIR> d----c--- c:\windows\Logs
2008-11-05 18:45 . 2008-11-05 18:55 682,280 --a--c--- c:\windows\system32\pbsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 07:40 --------- dc----w c:\program files\Mozilla Thunderbird
2008-12-03 07:15 --------- dc----w c:\documents and settings\Alex Doman\Application Data\FrostWire
2008-12-02 03:40 --------- dc----w c:\program files\PeerGuardian2
2008-12-02 03:40 --------- dc----w c:\documents and settings\Alex Doman\Application Data\uTorrent
2008-11-30 21:30 240 -c--a-w c:\program files\oxvool.txt
2008-11-25 10:43 186 -c--a-w c:\program files\opqhnyth.txt
2008-11-23 02:30 --------- dc----w c:\program files\Malwarebytes' Anti-Malware
2008-11-23 02:06 --------- dc--a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 02:04 --------- dc----w c:\documents and settings\All Users\Application Data\Norton
2008-11-20 23:41 --------- dc----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-18 09:09 22,328 -c--a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-18 09:09 107,832 -c--a-w c:\windows\system32\PnkBstrB.exe
2008-11-06 01:55 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-06 01:55 22,328 -c--a-w c:\documents and settings\Alex Doman\Application Data\PnkBstrK.sys
2008-11-06 01:55 --------- dc-h--w c:\program files\InstallShield Installation Information
2008-11-06 01:52 --------- dc----w c:\program files\Activision
2008-11-03 11:32 --------- dc----w c:\program files\Symantec
2008-11-03 11:32 --------- dc----w c:\program files\Common Files\Symantec Shared
2008-10-27 17:04 70,992 -c--a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 17:04 514,384 -c--a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 17:04 235,856 -c--a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 17:04 23,376 -c--a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-25 05:45 --------- dc----w c:\program files\AbiSuite2
2008-10-22 23:10 38,496 -c--a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 23:10 15,504 -c--a-w c:\windows\system32\drivers\mbam.sys
2008-10-18 05:35 --------- dc----w c:\documents and settings\LocalService\Application Data\SACore
2008-10-17 20:05 --------- dc----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-10-17 20:01 --------- dc----w c:\program files\Common Files\McAfee
2008-10-17 20:00 --------- dc----w c:\program files\McAfee.com
2008-10-16 09:08 --------- dc----w c:\documents and settings\All Users\Application Data\Symantec
2008-10-16 09:05 --------- dc----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-16 09:05 --------- dc----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-10-16 08:45 --------- dc----w c:\program files\GameSpy Arcade
2008-10-16 08:45 --------- dc----w c:\program files\AIM
2008-10-16 08:45 --------- dc----w c:\documents and settings\Alex Doman\Application Data\Symantec
2008-10-16 08:43 --------- dc----w c:\documents and settings\All Users\Application Data\NortonSystemWorks
2008-10-16 08:33 --------- dc----w c:\documents and settings\All Users\Application Data\BVRP Software
2008-10-14 09:51 --------- dc----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-14 09:51 --------- dc----w c:\documents and settings\Alex Doman\Application Data\Malwarebytes
2008-10-14 09:24 90,112 ----a-w c:\windows\DUMP2ad8.tmp
2008-10-14 08:49 --------- dc----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-14 07:23 --------- dc----w c:\program files\Java
2008-10-10 11:52 452,440 -c--a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 11:52 4,379,984 -c--a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 11:52 2,036,576 -c--a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-08 06:38 --------- dc----w c:\program files\DivX
2008-09-20 09:41 787 -c----w C:\DelUS.bat
2008-09-16 00:12 200,704 -c--a-w c:\windows\system32\ssldivx.dll
2008-09-16 00:12 1,044,480 -c--a-w c:\windows\system32\libdivx.dll
2008-08-24 03:21 24,192 -c----w c:\documents and settings\Alex Doman\usbsermptxp.sys
2008-08-24 03:21 22,768 -c----w c:\documents and settings\Alex Doman\usbsermpt.sys
2002-07-26 22:02 153,088 -c--a-w c:\program files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2007-08-31 503808]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-03 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-03 81920]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-11-02 118784]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-12-03 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Sierra\\FEARCombat\\fpupdate.exe"=
"c:\\Program Files\\Sierra\\FEARCombat\\FEARMP.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6Vegas_Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas\\Binaries\\R6VegasServer.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\EA GAMES\\Need for Speed Most Wanted\\speed.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\America's Army\\System\\ArmyOps.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War Beta\\CoDWaWbeta.exe"=
"c:\\Program Files\\America's Army Deploy Client\\AADeployClient.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - Z:\Autorun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{0658162D-5D22-4D14-AC7A-7C9117F7E7E3} - (no file)
BHO-{85E42802-0731-4B3A-8463-1CEF26739D35} - (no file)
BHO-{92978f32-d9df-4444-97ad-3c52473d0faa} - (no file)
BHO-{9B61D337-2B6B-49FE-BD23-2F812029B8E4} - (no file)
BHO-{A152B8B9-EE56-413D-A0A4-DBE5B8CB2DA6} - (no file)
BHO-{d2a7209a-f098-4054-bd47-e67f5a15afae} - c:\windows\system32\gebojele.dll
BHO-{d34be5ba-393e-4d99-860e-726f16ee669c} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Alex Doman\Application Data\Mozilla\Firefox\Profiles\4nyyb2vu.default\
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 00:47:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-03 0:49:52 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 07:49:50

Pre-Run: 70,832,365,568 bytes free
Post-Run: 70,773,448,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT

232 --- E O F --- 2008-09-21 06:54:22





Here's a new HJT log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:43 AM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O4 - HKLM\..\Run: [Switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 6825 bytes




My machine is running significantly faster, the desktop icons that originally disappeared when I got the virus reappeared, and there are no more popup windows when I use my browser. Everything appears to be back to normal.

Thanks you SOOOOOO much for your help Maurice Naggar! You helped me out a ton!

[Maurice Naggar]

There is a bit more to do.

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from here:
http://cid-6aaab341ce47c5c2.skydrive.live....FixPolicies.exe

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

There's one file that needs to be checked out, and if it is tagged as a trojan or other malware, then delete it.
Use your browser to go here at Virustotal website
Click the Browse button and then navigate to C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll, then click the Submit button.
The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

==
Use your browser to go here at Viruscan.org website
Click the Browse button and then navigate to C:\Program Files\GameSpy Arcade\Services\_common\PortraitLoader.dll, then click the Submit button.

Save the results, and post back here in a reply.
=
Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O24 - Desktop Component 0: Privacy Protection - (no file)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!
=
De-install your Adobe Reader: Use Control Panel's Add-Remove programs, Remove Adobe Reader. Get the latest version from http://www.adobe.com.../readstep2.html

Download -- to your Desktop -- JavaRa.Zip from either of these two sites:

http://prm753.bchea..../click.php?id=9
http://www.majorgeek...vaRa_d5967.html

• Unzip the download. This will create a new Folder, JavaRa on your Desktop.
  
• Double click this new Folder to open it, and double click the file within: JavaRa to execute the program.
  
• Click the button: Remove Older Versions.
  
• Agree to the cleanup operation by clicking Yes. After a moment, a notice will appear that a log file has been produced. Click OK. Close the Notepad view that opens.
  
• Click the button: Other Tasks. Choose these options:
  Remove Useless JRE Files
  Remove Startup Entry
  Remove JavaRa Logfile
  
• Click Go. When it finishes, click OK to close the panel, and then Exit the program.
  
• Delete the download, and the unzipped folder and all contents.

This system has an old version of Java Run-time.

Uninstall jre1.6 (or any earlier) + any other (JRE Runtime Environment ) Sun Java package via Add/Remove Programs.
If you see any other Java versions there,
such as
J2SE Runtime Environment 5.0
Java SE Runtime Environment
Java 6

uninstall all of them. After uninstalling, reboot if directed to do so.

In Windows Explorer, navigate to and delete C:\Program Files\Java <=this folder, if found.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Open an IE window and go to http://java.sun.com/...loads/index.jsp
> In top of the page (first in the list), click on the Download button to the right of Java Runtime Environment (JRE) 6 Update 11
> Accept the license agreement
> Click on Windows Offline Installation, Multi-language and Save the file to your desktop; do not Run it.

When the download is complete, close all browser windows and double-click on the saved file to install the update.

• Tip: You do not have to accept the MSN toolbar. If you do not want it, uncheck the box for MSN toolbar.

Delete the downloaded installation file after completing the above procedure and reboot if prompted to do so.

If you were /not/ prompted to reboot, please do so now.
=
Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}
=
The MBAM definitions on your system were not the latest. The latest definitions (database) version is 1454.
Start MBAM. Press the Update tab.
Press the "Check for Updates" button.
After it is updated, press the Scanner tab and do a FULL scan.
Reply with the new MBAM log.

[adoman28]

Alright.

VirusTotal.com Results

VirusScan.org Results


New MBAM Log


Malwarebytes' Anti-Malware 1.30
Database version: 1455
Windows 5.1.2600 Service Pack 2

12/3/2008 3:58:58 PM
mbam-log-2008-12-03 (15-58-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 92103
Time elapsed: 29 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000149.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000150.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nobiwuna.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.


Still infected .

Thanks as always!

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference! Perhaps also save the file on your pc.

• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  :files
  c:\windows\msdownld.tmp

  
  
• Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.
  
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
=
The last 3 files tagged were not active. 2 were in restore points, which will be cleared later, and 1 was already renamed.
I'd like for you to do an online scan at ESET.
Using Internet Explorer browser only, go to ESET Online Scanner website:

• Accept the Terms of Use and press Start button;
  
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
  
• Enable (check) the Remove found threats option, and run the scan.
  
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad or Wordpad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://www.eset.com/...c4.php?page=faq
  
  
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=
Delete the prior copy of SmitFraudFix.exe and get a new (latest) version.

Close all browsers and all open windows & programs.

1. Please download SmitfraudFix (by S!Ri) and SAVE it to your Desktop.
It's very important that you be using the most recent version (v2.381 as of this post).


2. Reboot into Safe Mode (Restart your computer, then continually tap F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. More at http://service1.symantec.com/SUPPORT/tsgen...001052409420406.)

3. Once in Safe Mode:
Double click the SmitFraudfix.exe file. It will create a folder named SmitfraudFix on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Have plenty of patience as a Command prompt window opens. You'll eventually see a message and a "press any key to continue".
Press the space bar or any other key on the keyboard.

4. Select option #2 - Clean by typing 2 and pressing Enter to delete infected files.

5. You will be prompted: "Registry cleaning - Do you want to clean the registry ?" Answer "Yes" by typing Y and pressing Enter in order to remove the desktop background and clean registry keys associated with the infection.

6. The tool will then check if wininet.dll is infected. If prompted to replace the infected file (if found), answer "Yes" by typing Y and pressing Enter.

7. The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

8. A text file will appear onscreen with results from the cleaning process.

The report also may be found at the root of the system drive, usually at C:\rapport.txt

Notes:

• process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. More on this at http://www.beyondlogic.org/consulting/proc...processutil.htm
  
  
• Running option #2 on a non-infected computer will remove your Desktop background. No need to worry, had been infected

- - -
Please reply with copy of the Eset scan log, the content of C:\rapport.txt into your next reply along with a fresh HJT log. And tell me, How is your system now?

[adoman28]

OTMoveIt3 Log

========== FILES ==========
c:\windows\msdownld.tmp moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12052008_001207



Eset Scan Log

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3665 (20081204)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=5d74632a84d08b4d9d70f49abcc332dd
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-05 07:51:40
# local_time=2008-12-05 12:51:40 (-0700, Mountain Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=246455
# found=2
# scan_time=1545
C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000157.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{9BA698BB-C650-4CBF-839B-2C68B88A25C6}\RP2\A0000159.dll Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000



rapport.txt

SmitFraudFix v2.381

Scan done at 0:57:02.46, Fri 12/05/2008
Run from C:\Documents and Settings\Alex Doman\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» RK


»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Fresh HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:01:08, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Switcher.exe] "C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 6845 bytes





Thanks!

[Maurice Naggar]

One small adjustment and then we are finsihed.
Start HijackThis. Look for these lines and place a checkmark against each of the following, if still present

Quote

O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0272921221902489) (0272921221902489mcinstcleanup) - Unknown owner - C:\DOCUME~1\ALEXDO~1\LOCALS~1\Temp\027292~1.EXE (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer (& or any other window) is closed when you click Fix Checked!

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, (either Combofix or Combo-fix), put that name in the RUN box stated just below. The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  
  In the command box that opens, type or copy/paste combofix /u and then click OK.
  
  

• Please download OTMoveIt3 by OldTimer: http://oldtimer.geek...m/OTMoveIt3.exe
  • Save it to your desktop.
    
  • Please double-click OTMoveIt3.exe to run it.
    
  • Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
    
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
  
• Check in at Windows Update and install any Critical Updates offered.
  
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
• Download and install Comodo BOClean (free): http://www.comodo.co...O_download.html
  
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacools...areblaster.html (all Protections should be enabled at all times)
  
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winh...02/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan?
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingc...tutorial82.html

We are finished. All the best.

[Raid]

[indent]

I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions
[/indent]