Sign in to follow this  
Followers 0
my2kids

Unable to remove virtumonde.prx

26 posts in this topic

Hi. I am having trouble removing the virtumonde.prx virus/trojan from my computer. I have tried to remove it with SpyBot Search & Destroy as well as with Malwarebytes'. It keeps coming back. Here is a copy of the Malwarebytes' log as well as the Hijackthis log:

Malwarebytes' log:

Malwarebytes' Anti-Malware 1.34

Database version: 1849

Windows 5.1.2600 Service Pack 3

3/14/2009 10:17:52 PM

mbam-log-2009-03-14 (22-17-52).txt

Scan type: Quick Scan

Objects scanned: 99753

Time elapsed: 12 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bilibokasi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm07c5a006 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:21:49 PM, on 3/14/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemaNowShell.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CNRpc.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\vVX6000.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Yahoo!\browser\ybrowser.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Qualcomm\Eudora\Eudora.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\mupafeve.dll c:\windows\system32\fukiroki.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--

End of file - 19525 bytes

I appreciate any help you can give me!

Share this post


Link to post
Share on other sites

Hi. :P

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Share this post


Link to post
Share on other sites

Hi Tigger93. Thank you for helping me with this! Here are my ComboFix and Hijackthis logs:

ComboFix log:

ComboFix 09-03-14.01 - Stacey Kuhar 2009-03-15 10:06:22.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.509 [GMT -4:00]

Running from: c:\documents and settings\Stacey Kuhar\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\jestertb.dll

c:\windows\Pt.dll

c:\windows\system32\bszip.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))

.

2009-08-05 16:58 . 2009-08-05 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft

2009-08-05 16:57 . 2009-08-05 16:57 <DIR> d-------- c:\program files\Dell Support Center

2009-08-02 22:57 . 2009-08-02 22:57 <DIR> d-------- c:\program files\Apple Software Update

2009-08-02 22:54 . 2009-08-02 22:55 <DIR> d-------- c:\program files\iTunes

2009-08-02 22:52 . 2009-08-02 22:52 <DIR> d-------- c:\program files\Bonjour

2009-08-02 22:51 . 2009-08-02 22:52 <DIR> d-------- c:\program files\QuickTime

2009-03-14 21:34 . 2009-03-14 21:34 <DIR> d-------- c:\program files\Trend Micro

2009-03-14 20:25 . 2009-03-14 20:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-14 20:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-14 20:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-14 18:40 . 2009-03-14 18:39 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-14 18:40 . 2009-03-14 18:39 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-10 19:15 . 2009-03-10 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\U3

2009-03-10 15:27 . 2009-03-13 09:12 <DIR> d-------- c:\windows\system32\NtmsData

2009-03-10 15:19 . 2009-03-14 15:30 <DIR> d-------- c:\documents and settings\Stacey Kuhar\Application Data\U3

2009-03-10 07:05 . 2009-03-10 07:05 0 --a------ c:\windows\PTWebCam.INI

2009-03-09 16:32 . 2009-03-09 16:32 <DIR> d-------- c:\documents and settings\Stacey Kuhar\Application Data\Malwarebytes

2009-03-09 16:32 . 2009-03-09 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-09 10:42 . 2009-03-09 10:42 <DIR> d-------- C:\VundoFix Backups

2009-03-07 11:24 . 2009-03-07 11:24 179 --a------ C:\handle.dat

2009-03-04 20:04 . 2009-03-04 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\CinemaNow

2009-03-04 20:04 . 2005-09-28 15:46 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll

2009-03-04 20:02 . 2009-03-04 20:02 <DIR> d-------- c:\program files\CinemaNow

2009-02-16 12:01 . 2009-02-16 12:09 6,488 --a------ c:\documents and settings\All Users\Application Data\ypinfo.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-05 20:57 --------- d-----w c:\program files\Common Files\supportsoft

2009-08-03 02:54 --------- d-----w c:\program files\iPod

2009-03-15 14:12 --------- d-----w c:\program files\Symantec AntiVirus

2009-03-14 22:39 --------- d-----w c:\program files\Java

2009-03-14 21:39 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-14 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-14 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-10 12:31 --------- d-----w c:\program files\Google

2009-03-08 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-03-08 12:16 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\skypePM

2009-03-02 14:27 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-17 12:33 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-02-16 20:06 --------- d-----w c:\program files\ewido anti-malware

2009-02-16 16:16 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\Yahoo!

2009-02-13 22:20 --------- d-----w c:\program files\Windows Live

2009-02-13 22:19 --------- d-----w c:\program files\Microsoft

2009-02-13 22:18 --------- d-----w c:\program files\Windows Live SkyDrive

2009-02-13 22:06 --------- d-----w c:\program files\Common Files\Windows Live

2009-02-13 22:03 --------- d-----w c:\program files\Microsoft LifeCam

2009-02-13 21:29 --------- d-----w c:\program files\MSBuild

2009-02-13 21:24 --------- d-----w c:\program files\Reference Assemblies

2009-01-16 19:03 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\Move Networks

2007-08-09 22:18 251 ----a-w c:\program files\wt3d.ini

2006-02-09 19:51 389,120 ------w c:\documents and settings\Stacey Kuhar\remote.exe

2006-08-07 00:48 56 --sh--r c:\windows\system32\F15AD17906.sys

2006-08-07 00:48 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-20 12:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-10-30 4662776]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-04 29744]

"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-12-21 85744]

"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-06-17 401408]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-12-05 691200]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]

"VX6000"="c:\windows\vVX6000.exe" [2008-08-04 713744]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\Stacey Kuhar\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\documents and settings\Stacey Kuhar\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-03-10 22486]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-01-15 25214]

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-15 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-07 24576]

ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-09-20 303104]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]

Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2006-01-17 73728]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\windows\warnhp.html

FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=

"c:\\WINDOWS\\ehome\\ehrecvr.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-01-16 4064]

R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2009-01-30 125304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-02-13 2077840]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-01-07 29744]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]

.

Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-13 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX6000_exe.job

- c:\windows\vVX6000.exe [2008-08-04 17:22]

.

- - - - ORPHANS REMOVED - - - -

BHO-{897fd734-80cd-4836-b48d-f33c6f17ce93} - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKLM-Run-CinemaNowMediaManagerApp - c:\program files\CinemaNow\CinemaNowShell.exe

HKLM-Run-bilibokasi - c:\windows\system32\fimijeza.dll

HKLM-Run-CPM07c5a006 - c:\windows\system32\suluyeba.dll

SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

.

------- Supplementary Scan -------

.

uLocal Page = \blank.htm

uStart Page = hxxp://verizon.yahoo.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://verizon.yahoo.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: cinemanow.com

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://secure.footprint.net/kingsisle/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--

End of file - 18817 bytes

Hi. :P

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Share this post


Link to post
Share on other sites

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

C:\handle.dat

c:\windows\warnhp.html

c:\windows\system32\F15AD17906.sys

Folder::

C:\VundoFix Backups

Collect::

c:\documents and settings\Stacey Kuhar\remote.exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Share this post


Link to post
Share on other sites

Ok, I've done this. Should I be concerned that my computer wasn't rebooted this time? The last time I ran ComboFix, the computer automatically rebooted. Anyway, here are my logs. Again, thanks for your help.

ComboFix log:

ComboFix 09-03-14.01 - Stacey Kuhar 2009-03-15 13:50:44.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.373 [GMT -4:00]

Running from: c:\documents and settings\Stacey Kuhar\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Stacey Kuhar\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

* Created a new restore point

FILE ::

C:\handle.dat

c:\windows\system32\F15AD17906.sys

c:\windows\warnhp.html

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Stacey Kuhar\remote.exe

C:\handle.dat

C:\VundoFix Backups

c:\windows\system32\F15AD17906.sys

.

((((((((((((((((((((((((( Files Created from 2009-02-15 to 2009-03-15 )))))))))))))))))))))))))))))))

.

2009-08-05 16:58 . 2009-08-05 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft

2009-08-05 16:57 . 2009-08-05 16:57 <DIR> d-------- c:\program files\Dell Support Center

2009-08-02 22:57 . 2009-08-02 22:57 <DIR> d-------- c:\program files\Apple Software Update

2009-08-02 22:54 . 2009-08-02 22:55 <DIR> d-------- c:\program files\iTunes

2009-08-02 22:52 . 2009-08-02 22:52 <DIR> d-------- c:\program files\Bonjour

2009-08-02 22:51 . 2009-08-02 22:52 <DIR> d-------- c:\program files\QuickTime

2009-03-15 13:48 . 2009-03-15 13:49 <DIR> d-------- C:\32788R22FWJFW

2009-03-14 21:34 . 2009-03-14 21:34 <DIR> d-------- c:\program files\Trend Micro

2009-03-14 20:25 . 2009-03-14 20:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-14 20:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-14 20:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-14 18:40 . 2009-03-14 18:39 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-14 18:40 . 2009-03-14 18:39 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-10 19:15 . 2009-03-10 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\U3

2009-03-10 15:27 . 2009-03-13 09:12 <DIR> d-------- c:\windows\system32\NtmsData

2009-03-10 15:19 . 2009-03-14 15:30 <DIR> d-------- c:\documents and settings\Stacey Kuhar\Application Data\U3

2009-03-10 07:05 . 2009-03-10 07:05 0 --a------ c:\windows\PTWebCam.INI

2009-03-09 16:32 . 2009-03-09 16:32 <DIR> d-------- c:\documents and settings\Stacey Kuhar\Application Data\Malwarebytes

2009-03-09 16:32 . 2009-03-09 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-04 20:04 . 2009-03-04 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\CinemaNow

2009-03-04 20:04 . 2005-09-28 15:46 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll

2009-03-04 20:02 . 2009-03-04 20:02 <DIR> d-------- c:\program files\CinemaNow

2009-02-16 12:01 . 2009-02-16 12:09 6,488 --a------ c:\documents and settings\All Users\Application Data\ypinfo.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-05 20:57 --------- d-----w c:\program files\Common Files\supportsoft

2009-08-03 02:54 --------- d-----w c:\program files\iPod

2009-03-15 17:49 --------- d-----w c:\program files\Symantec AntiVirus

2009-03-14 22:39 --------- d-----w c:\program files\Java

2009-03-14 21:39 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-14 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-14 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-10 12:31 --------- d-----w c:\program files\Google

2009-03-08 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-03-08 12:16 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\skypePM

2009-03-02 14:27 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-17 12:33 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-02-16 20:06 --------- d-----w c:\program files\ewido anti-malware

2009-02-16 16:16 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\Yahoo!

2009-02-13 22:20 --------- d-----w c:\program files\Windows Live

2009-02-13 22:19 --------- d-----w c:\program files\Microsoft

2009-02-13 22:18 --------- d-----w c:\program files\Windows Live SkyDrive

2009-02-13 22:06 --------- d-----w c:\program files\Common Files\Windows Live

2009-02-13 22:03 --------- d-----w c:\program files\Microsoft LifeCam

2009-02-13 21:29 --------- d-----w c:\program files\MSBuild

2009-02-13 21:24 --------- d-----w c:\program files\Reference Assemblies

2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys

2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys

2009-02-06 23:52 49,504 ----a-w c:\windows\system32\sirenacm.dll

2009-01-17 02:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll

2009-01-16 19:03 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\Move Networks

2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe

2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe

2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe

2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll

2007-08-09 22:18 251 ----a-w c:\program files\wt3d.ini

2006-08-07 00:48 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-20 12:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-10-30 4662776]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-04 29744]

"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-12-21 85744]

"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-06-17 401408]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-12-05 691200]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]

"VX6000"="c:\windows\vVX6000.exe" [2008-08-04 713744]

"bilibokasi"="c:\windows\system32\fimijeza.dll" [bU]

"CPM07c5a006"="c:\windows\system32\suluyeba.dll" [bU]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\Stacey Kuhar\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\documents and settings\Stacey Kuhar\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-03-10 22486]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-01-15 25214]

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-15 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-07 24576]

ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-09-20 303104]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]

Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2006-01-17 73728]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= c:\windows\warnhp.html

FriendlyName= Desktop Uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=

"c:\\WINDOWS\\ehome\\ehrecvr.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-01-16 4064]

R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2009-01-30 125304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-02-13 2077840]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-01-07 29744]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]

.

Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-13 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX6000_exe.job

- c:\windows\vVX6000.exe [2008-08-04 17:22]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

.

------- Supplementary Scan -------

.

uLocal Page = \blank.htm

uStart Page = hxxp://verizon.yahoo.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://verizon.yahoo.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: cinemanow.com

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://secure.footprint.net/kingsisle/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

--

End of file - 18588 bytes

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Share this post


Link to post
Share on other sites

Nope, nothing to worry about.

Open HijackThis and put a check next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [bilibokasi] Rundll32.exe "C:\WINDOWS\system32\fimijeza.dll",s

O4 - HKLM\..\Run: [CPM07c5a006] Rundll32.exe "c:\windows\system32\suluyeba.dll",a

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

Click Fix Checked and close HJT.

You need to uninstall your current version of Adobe Reader and download & install the latest version (9.1) from here

Restart your computer and post a new HijackThis log please.

Share this post


Link to post
Share on other sites

Ok, here's my new hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:39:59 PM, on 3/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\vVX6000.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\WINDOWS\system32\wscript.exe

C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 19073 bytes

Nope, nothing to worry about.

Open HijackThis and put a check next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [bilibokasi] Rundll32.exe "C:\WINDOWS\system32\fimijeza.dll",s

O4 - HKLM\..\Run: [CPM07c5a006] Rundll32.exe "c:\windows\system32\suluyeba.dll",a

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

Click Fix Checked and close HJT.

You need to uninstall your current version of Adobe Reader and download & install the latest version (9.1) from here

Restart your computer and post a new HijackThis log please.

Share this post


Link to post
Share on other sites

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Fix these with HijackThis:

O4 - HKLM\..\Run: [bilibokasi] Rundll32.exe "C:\WINDOWS\system32\fimijeza.dll",s

O4 - HKLM\..\Run: [CPM07c5a006] Rundll32.exe "c:\windows\system32\suluyeba.dll",a

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

Then post a new HJT log please.

Share this post


Link to post
Share on other sites

Here is a current HJT log... look at me getting the lingo!!! :P Ok, I might be getting the lingo, but that's about all. I still need you to look at the log and fix whatever needs fixing. :P Thanks!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:12:39 PM, on 3/15/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\vVX6000.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 18434 bytes

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Fix these with HijackThis:

O4 - HKLM\..\Run: [bilibokasi] Rundll32.exe "C:\WINDOWS\system32\fimijeza.dll",s

O4 - HKLM\..\Run: [CPM07c5a006] Rundll32.exe "c:\windows\system32\suluyeba.dll",a

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

Then post a new HJT log please.

Share this post


Link to post
Share on other sites

Everything looks good.

Go start > run and type in combofix /u and press OK to remove Combofix.

Are you still having any problems?

Share this post


Link to post
Share on other sites

I think it's finally gone!!! Everything started up fine this morning. You are AWESOME! Thank you so much for your help...

Everything looks good.

Go start > run and type in combofix /u and press OK to remove Combofix.

Are you still having any problems?

Share this post


Link to post
Share on other sites

Hi Tigger. I got a funny message a little while ago... It said, "The device driver for the 'Terminal Server Keyboard Driver' device is preventing the machine from entering standby...." Could this be from something that we've done? If so, is it an easy fix? I'm soooooo clueless!

I think it's finally gone!!! Everything started up fine this morning. You are AWESOME! Thank you so much for your help...

Share this post


Link to post
Share on other sites

Not sure on that error, but its not malware related. Best to ask in the PC help forum.

Share this post


Link to post
Share on other sites

Bad news... I ran a Malwarebytes' scan a few minutes and came up with the vundo virus again. I've listed the Malwarebytes' log and the HJT log below.

Malwarebytes' log:

Malwarebytes' Anti-Malware 1.34

Database version: 1849

Windows 5.1.2600 Service Pack 3

3/16/2009 5:26:35 PM

mbam-log-2009-03-16 (17-26-25).txt

Scan type: Quick Scan

Objects scanned: 79377

Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bilibokasi (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm07c5a006 (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:29:56 PM, on 3/16/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Qualcomm\Eudora\Eudora.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 18925 bytes

Not sure on that error, but its not malware related. Best to ask in the PC help forum.

Share this post


Link to post
Share on other sites

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Then delete your current copy of Combofix, download a fresh copy and post the new log it produces.

Share this post


Link to post
Share on other sites

I'm sorry if I caused this. I thought the virus was gone and reactivated the TeaTimer this morning. Below is the log I got from ComboFix. Thank you for your additional help.

ComboFix 09-03-15.01 - Stacey Kuhar 2009-03-16 17:58:22.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.390 [GMT -4:00]

Running from: c:\documents and settings\Stacey Kuhar\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))

.

2009-08-05 16:58 . 2009-08-05 16:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\SupportSoft

2009-08-05 16:57 . 2009-08-05 16:57 <DIR> d-------- c:\program files\Dell Support Center

2009-08-05 16:57 . 2009-08-05 16:57 <DIR> d-------- c:\program files\Common Files\supportsoft

2009-08-02 22:57 . 2009-08-02 22:57 <DIR> d-------- c:\program files\Apple Software Update

2009-08-02 22:54 . 2009-08-02 22:55 <DIR> d-------- c:\program files\iTunes

2009-08-02 22:52 . 2009-08-02 22:52 <DIR> d-------- c:\program files\Bonjour

2009-08-02 22:51 . 2009-08-02 22:52 <DIR> d-------- c:\program files\QuickTime

2009-03-15 15:02 . 2009-03-15 15:02 <DIR> d-------- c:\program files\Common Files\Adobe AIR

2009-03-15 14:54 . 2009-03-15 15:07 <DIR> d-------- c:\program files\NOS

2009-03-15 14:54 . 2009-03-15 15:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\NOS

2009-03-14 21:34 . 2009-03-14 21:34 <DIR> d-------- c:\program files\Trend Micro

2009-03-14 20:25 . 2009-03-14 20:25 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-14 20:25 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-14 20:25 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-14 18:40 . 2009-03-14 18:39 410,984 --a------ c:\windows\system32\deploytk.dll

2009-03-14 18:40 . 2009-03-14 18:39 73,728 --a------ c:\windows\system32\javacpl.cpl

2009-03-10 19:15 . 2009-03-10 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\U3

2009-03-10 15:27 . 2009-03-13 09:12 <DIR> d-------- c:\windows\system32\NtmsData

2009-03-10 15:19 . 2009-03-14 15:30 <DIR> d-------- c:\documents and settings\Stacey Kuhar\Application Data\U3

2009-03-10 07:05 . 2009-03-10 07:05 0 --a------ c:\windows\PTWebCam.INI

2009-03-09 16:32 . 2009-03-09 16:32 <DIR> d-------- c:\documents and settings\Stacey Kuhar\Application Data\Malwarebytes

2009-03-09 16:32 . 2009-03-09 16:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-04 20:04 . 2009-03-04 20:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\CinemaNow

2009-03-04 20:04 . 2005-09-28 15:46 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll

2009-03-04 20:02 . 2009-03-04 20:02 <DIR> d-------- c:\program files\CinemaNow

2009-02-16 12:01 . 2009-02-16 12:09 6,488 --a------ c:\documents and settings\All Users\Application Data\ypinfo.bin

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-03 02:54 --------- d-----w c:\program files\iPod

2009-03-16 22:01 --------- d-----w c:\program files\Symantec AntiVirus

2009-03-15 19:01 --------- d-----w c:\program files\Common Files\Adobe

2009-03-14 22:39 --------- d-----w c:\program files\Java

2009-03-14 21:39 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-03-14 21:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-14 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee

2009-03-10 12:31 --------- d-----w c:\program files\Google

2009-03-08 12:25 --------- d-----w c:\documents and settings\All Users\Application Data\Skype

2009-03-08 12:16 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\skypePM

2009-03-02 14:27 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-17 12:33 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink

2009-02-16 20:06 --------- d-----w c:\program files\ewido anti-malware

2009-02-16 16:16 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\Yahoo!

2009-02-13 22:20 --------- d-----w c:\program files\Windows Live

2009-02-13 22:19 --------- d-----w c:\program files\Microsoft

2009-02-13 22:18 --------- d-----w c:\program files\Windows Live SkyDrive

2009-02-13 22:06 --------- d-----w c:\program files\Common Files\Windows Live

2009-02-13 22:03 --------- d-----w c:\program files\Microsoft LifeCam

2009-02-13 21:29 --------- d-----w c:\program files\MSBuild

2009-02-13 21:24 --------- d-----w c:\program files\Reference Assemblies

2009-01-16 19:03 --------- d-----w c:\documents and settings\Stacey Kuhar\Application Data\Move Networks

2007-08-09 22:18 251 ----a-w c:\program files\wt3d.ini

2006-08-07 00:48 3,350 --sha-w c:\windows\system32\KGyGaAvL.sys

2008-09-20 12:48 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092020080921\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-10-30 4662776]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2008-06-10 785520]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-14 136600]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-04 29744]

"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-24 57344]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 48800]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-12-21 85744]

"YOP"="c:\progra~1\Yahoo!\YOP\yop.exe" [2005-06-17 401408]

"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-12-05 691200]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]

"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-08-25 180269]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2008-08-04 160800]

"VX6000"="c:\windows\vVX6000.exe" [2008-08-04 713744]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\Stacey Kuhar\Start Menu\Programs\Startup\

LaunchU3.exe.lnk - c:\documents and settings\Stacey Kuhar\Application Data\Microsoft\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2009-03-10 22486]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2006-01-15 25214]

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-01-15 113664]

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-01-07 24576]

ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-09-20 303104]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-05-12 73728]

Image Transfer.lnk - c:\program files\Sony Corporation\Image Transfer\SonyTray.exe [2006-01-17 73728]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.JDCT"= jl_jdct.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\Yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"=

"c:\\WINDOWS\\ehome\\ehrecvr.exe"=

"c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\CinemaNow\\CinemaNow Media Manager\\CinemaNowShell.exe"=

R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2006-01-16 4064]

R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [2009-01-30 125304]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]

R3 VX6000;Microsoft LifeCam VX-6000;c:\windows\system32\drivers\VX6000Xp.sys [2009-02-13 2077840]

S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-01-07 29744]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-12-21 169200]

.

Contents of the 'Scheduled Tasks' folder

2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-13 c:\windows\Tasks\Microsoft_Hardware_Launch_vVX6000_exe.job

- c:\windows\vVX6000.exe [2008-08-04 17:22]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-bilibokasi - c:\windows\system32\fimijeza.dll

HKLM-Run-CPM07c5a006 - c:\windows\system32\suluyeba.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://verizon.yahoo.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://verizon.yahoo.com

mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/verizon/*http://www.yahoo.com/search/ie.html

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/verizon/*http://www.yahoo.com

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

Trusted Zone: cinemanow.com

DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab

DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} - hxxps://secure.footprint.net/kingsisle/static/themes/wizard101A/activex/Wizard101GameLauncher.CAB

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-16 18:02:56

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2009-03-16 18:05:02

ComboFix-quarantined-files.txt 2009-03-16 22:04:59

ComboFix2.txt 2009-03-15 17:58:11

Pre-Run: 64,258,977,792 bytes free

Post-Run: 64,254,177,280 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4

200 --- E O F --- 2009-03-12 22:02:51

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Then delete your current copy of Combofix, download a fresh copy and post the new log it produces.

Share this post


Link to post
Share on other sites

Well I don't see anything. Let's run a quick rookit scan to make sure there isn't one hiding.

Download GMER from here:

  1. Unzip it to the desktop.
  2. Open the program and click on the Rootkit tab.
  3. Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
  4. Click on Scan.
  5. When the scan has run click Copy and paste the results (if any) into this thread.

Share this post


Link to post
Share on other sites

Thanks Tigger. I also ran a scan on Spybot S&D last night and came up with the virtumonde.prx listing again. Here's a copy of the GMER log:

GMER 1.0.15.14939 - http://www.gmer.net

Rootkit scan 2009-03-17 10:13:18

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT 866A4450 ZwConnectPort

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEEA04DC0]

SSDT 869E82B0 ZwDuplicateObject

SSDT 8682C008 ZwOpenProcess

SSDT 868E5078 ZwOpenThread

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEEA05020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2232] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 05052422 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2232] USER32.dll!MessageBoxA 7E4507EA 5 Bytes JMP 050523CC C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[2232] USER32.dll!MessageBoxW 7E466534 5 Bytes JMP 050523F7 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\YOP\yop.exe[2268] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE[5824] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [63602A5B] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [63602AA2] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [63602441] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [63602B3E] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [63602AE9] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [63601740] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [636015EF] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6360208F] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [63601FC4] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [63602065] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

IAT C:\Program Files\Yahoo!\browser\ybrowser.exe[6128] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [636015C8] C:\Program Files\Yahoo!\Shared\ybskin2.dll (Yahoo! Skinning Object/Yahoo! Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 ATMhelpr.SYS (Windows NT Font Driver Helper/Adobe Systems Incorporated)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi \Device\Ide\IdePort0 dvd43llh.sys (dvd43llh.sys/RIF)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 dvd43llh.sys (dvd43llh.sys/RIF)

Device atapi.sys (IDE/ATAPI Port Driver/Microsoft Corporation)

Device dvd43llh.sys (dvd43llh.sys/RIF)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

Device AE844D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAECDAC2AD5D6D445BCFD7EE78BAC3C0\Usage@Unload 980510261

---- EOF - GMER 1.0.15 ----

Well I don't see anything. Let's run a quick rookit scan to make sure there isn't one hiding.

Download GMER from here:

  1. Unzip it to the desktop.
  2. Open the program and click on the Rootkit tab.
  3. Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
  4. Click on Scan.
  5. When the scan has run click Copy and paste the results (if any) into this thread.

Share this post


Link to post
Share on other sites

Could you post what Spybot is detecting such as the filepath and name?

Share this post


Link to post
Share on other sites

Ok, this is weird... I can't post anything because now Spybot is not detecting anything. I'm not really sure why because I didn't click on "Fix Selected Problems" (I didn't try to remove it with Malwarebytes' either). I wanted to wait until I heard back from you. I just ran a Spybot scan and got nothing so I ran a Malwarebytes' scan and came up with nothing there too. Does this make sense? I did turn the computer off last night, but I had also turned it off Sunday night.

Could you post what Spybot is detecting such as the filepath and name?

Share this post


Link to post
Share on other sites

Hi Tigger. I just ran a scan using Spybot as well as Malwarebytes' and came up clean again. I've posted a HJT log from this morning and the last report that I got from Spybot (Sunday evening). I purged all the entries in the recovery section of Spybot yesterday. I'm hoping that Sunday's report was just a residual (if that's even possible)? What do you think?

--- Report generated: 2009-03-16 17:46 ---

Virtumonde.prx: [sBI $9C9A1A85] Autorun settings (CPM07c5a006) (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPM07c5a006

Right Media: Tracking cookie (Internet Explorer: Stacey Kuhar) (Cookie, nothing done)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:50:32 AM, on 3/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\vVX6000.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--

End of file - 18671 bytes

Ok, this is weird... I can't post anything because now Spybot is not detecting anything. I'm not really sure why because I didn't click on "Fix Selected Problems" (I didn't try to remove it with Malwarebytes' either). I wanted to wait until I heard back from you. I just ran a Spybot scan and got nothing so I ran a Malwarebytes' scan and came up with nothing there too. Does this make sense? I did turn the computer off last night, but I had also turned it off Sunday night.

Share this post


Link to post
Share on other sites

My mistake... the last log from Spybot that I posted in my last reply was from Monday evening not Sunday.

Hi Tigger. I just ran a scan using Spybot as well as Malwarebytes' and came up clean again. I've posted a HJT log from this morning and the last report that I got from Spybot (Sunday evening). I purged all the entries in the recovery section of Spybot yesterday. I'm hoping that Sunday's report was just a residual (if that's even possible)? What do you think?

--- Report generated: 2009-03-16 17:46 ---

Virtumonde.prx: [sBI $9C9A1A85] Autorun settings (CPM07c5a006) (Registry value, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPM07c5a006

Right Media: Tracking cookie (Internet Explorer: Stacey Kuhar) (Cookie, nothing done)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:50:32 AM, on 3/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

C:\Program Files\Lexmark X74-X75\lxbbbmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\PROGRA~1\Yahoo!\YOP\yop.exe

C:\Program Files\dvd43\dvd43_tray.exe

C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Dell Support Center\bin\sprtcmd.exe

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

C:\WINDOWS\vVX6000.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\FinePixViewer\QuickDCF2.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\PROGRA~1\Yahoo!\browser\ybrowser.exe

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.cinemanow.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1179878299531

O16 - DPF: {75A6AEA3-F26E-4608-AE9B-8DA78C87576E} (Wizard101GameLauncher) - https://secure.footprint.net/kingsisle/stat...ameLauncher.CAB

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe

O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Intel

Share this post


Link to post
Share on other sites

I don't see anything at all. I'd wait a few a days and see if Malwarebytes or Spybot pop up with something again.

Share this post


Link to post
Share on other sites

Ok, thanks! Should I reactivate Tea timer in Spybot or wait on that too? Thank you for all your help. I appreciate your time (and patience!). :0)

I don't see anything at all. I'd wait a few a days and see if Malwarebytes or Spybot pop up with something again.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.