Sign In
Create Account
2
Spyware Guard 2008 appears to be on my computer and won't go away with any basic scan it would seem. Other things appear to be hidden as well which forces me to run in safe mode otherwise my computer slows down so much that it eventually freezes up. Performing quick scans with Malwarebytes' shows an infected registry key or something that can't be deleted, and 2 other infections that say they are successfully deleted but always reappear directly afterward.
Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2
12/27/2008 4:19:48 AM
mbam-log-2008-12-27 (04-19-48).txt
Scan type: Full Scan (C:\|)
Objects scanned: 163718
Time elapsed: 41 minute(s), 48 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 61
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP837\A0179156.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP840\A0179317.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP842\A0179462.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181704.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181706.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181708.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181710.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181712.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181721.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181804.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181821.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP846\A0181850.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0181877.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0181878.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0183860.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0184860.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP847\A0184883.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184911.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184915.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184916.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0184917.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185000.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185018.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185060.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185148.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185192.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185193.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185194.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185195.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185311.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185315.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185320.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185481.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0186503.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0188524.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0191524.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0193524.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194538.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194540.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194544.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194548.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0194556.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0195566.exe (Rogue.Spyguard) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196586.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196587.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196588.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196589.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196590.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196592.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196593.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196594.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196595.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196596.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196597.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196598.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196599.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196600.exe (Backdoor.Hupigon) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196601.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196614.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196615.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
;****************************************************************************
ANALYSIS: 2008-12-27 05:38:21
PROTECTIONS: 2
MALWARE: 18
SUSPECTS: 0
;****************************************************************************
PROTECTIONS
Description Version Active Updated
;===========================================================
Panda Antivirus WebAdmin 3.01.00 No No
Windows Defender 1.1.4104.0 No No
;===========================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;=========================================================== HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
00048327 adware/startpage.na Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.atdmt.com/]
00141390 adware/cws.008k Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
00141390 adware/cws.008k Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
00141390 adware/cws.008k Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.tribalfusion.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.com.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.advertising.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.zedo.com/]
00185663 HackTool/NetCat.A HackTools No 0 No No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5.rar[router\FRITZ!Box\nc.exe]
00185663 HackTool/NetCat.A HackTools No 0 Yes No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5\router\FRITZ!Box\nc.exe
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.adultfriendfinder.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Alex\Application Data\Mozilla\Firefox\Profiles\na684jwb.default\cookies.txt[.target.com/]
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\userinit.exe
03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\WINDOWS\system32\dllcache\userinit.exe
03738741 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5.rar[ocr\netload.in\asmCaptcha\test.exe]
03738741 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Alex\Desktop\CryptLoad_1.1.5\ocr\netload.in\asmCaptcha\test.exe
04472478 Adware/WebSearch Adware No 0 Yes No C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0196585.dll
04472478 Adware/WebSearch Adware No 0 Yes No C:\System Volume Information\_restore{54C86084-7FFC-4B91-8490-871C8454285F}\RP848\A0185323.dll
;===========================================================
SUSPECTS
Sent Location 9
;===========================================================
;===========================================================
VULNERABILITIES
Id Severity Description 9
;===========================================================
108742 MEDIUM MS06-006 9
;===========================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:44:30 AM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcclub.com
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [spywareguard] C:\Program Files\Spyware Guard 2008\spywareguard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [SpybotDeletingA2149] command /c del "C:\WINDOWS\system32\bb1.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2531] cmd /c del "C:\WINDOWS\system32\bb1.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2276] command /c del "C:\WINDOWS\system32\cookie1.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6526] cmd /c del "C:\WINDOWS\system32\cookie1.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2192] command /c del "C:\WINDOWS\system32\uniq.tll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9226] cmd /c del "C:\WINDOWS\system32\uniq.tll"
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB826] command /c del "C:\WINDOWS\system32\bb1.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1014] cmd /c del "C:\WINDOWS\system32\bb1.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6524] command /c del "C:\WINDOWS\system32\cookie1.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9500] cmd /c del "C:\WINDOWS\system32\cookie1.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6780] command /c del "C:\WINDOWS\system32\uniq.tll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD328] cmd /c del "C:\WINDOWS\system32\uniq.tll"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photags AutoDetect.lnk = C:\Program Files\PhoTags Express\Photags AutoDetect.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\alex\locals~1\temp\ntdll64.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.pcclub.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\mozuzolo.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Intel® Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus driver (PAVDRV) - Unknown owner - C:\WINDOWS\system32\Drivers\pavdrv51.sys (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Sr\Compnts\Vr\pavsrv51.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdauxservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdcoreservice) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 7217 bytes
Thanks in advance for any help anyone could give me.
-
This topic is locked
Back to top
#2
Posted 29 December 2008 - 08:36 AM
-
- Experts
-
- 117 posts
Advanced Member
- Gender:Male
- Location:UK
Howdy there Slashatme
Download LSPFix from here
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of ntdll64.dll in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer into normal operating mode
Once done....
Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.
Download LSPFix from here
1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of ntdll64.dll in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer into normal operating mode
Once done....
Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingc...to-use-combofix
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Please include the C:\ComboFix.txt in your next reply for further review.
Patience is a Virtue
Member of ASAP & UNITE
Member of ASAP & UNITE
#3
Posted 04 January 2009 - 09:40 AM
-
- Administrators
-
- 22,570 posts
Forum Deity
- Gender:Male
- Location:US
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
