All I want for Christmas is my PC back. I've picked up a little pest and can't seem to shake it. Any assistance would be greatly appreciated!! I keep getting an alert regarding the addition of c:\WINDOWS\system32\dewudogi.dll I may have something else going on, but I know that since I started getting this alert warning I've had issues with several apps. I've posted my HJT log below. Best regards, laynegray Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 16:21, on 2008-12-21 Platform: Windows XP SP3 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\2Wire\2PortalMon.exe C:\HP\KBD\KBD.EXE C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\PROGRA~1\Comodo\CBOClean\BOC427.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe C:\PROGRA~1\Comodo\CBOClean\BOC4UPD.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O2 - BHO: (no name) - {5fde5a01-d91c-439a-ba36-9d955b2b0ca0} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [CPM4373b8cf] Rundll32.exe "c:\windows\system32\setevari.dll",a O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: AutorunsDisabled O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\poruveyo.dll c:\windows\system32\setevari.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\setevari.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\setevari.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 10161 bytes
Hi laynegray, I see some unknowns in your Log but nothing I can lay a finger on…. Do this to start with: Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode with Networking". Download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform full scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Make sure that everything is checked, and click Remove Selected. <-- Don't forget this. • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt • Please post the MBAM Log and a fresh HJT log in your next reply. 2OG
Here's the Malware log: Malwarebytes' Anti-Malware 1.31 Database version: 1456 Windows 5.1.2600 Service Pack 3 2008-12-22 20:23:00 mbam-log-2008-12-22 (20-23-00).txt Scan type: Full Scan (C:\|) Objects scanned: 189328 Time elapsed: 38 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 9 Registry Values Infected: 8 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 19 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\poruveyo.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\tekijuze.dll (Trojan.Vundo.H) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5fde5a01-d91c-439a-ba36-9d955b2b0ca0} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5fde5a01-d91c-439a-ba36-9d955b2b0ca0} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5fde5a01-d91c-439a-ba36-9d955b2b0ca0} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40408b53 (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fopugakeli (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4373b8cf (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcvw6j0e151 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dllschannel.dlldigest.dllmsnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\poruveyo.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\poruveyo.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\poruveyo.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\tekijuze.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\tekijuze.dll -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\jureviji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ijiveruj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\renuvepu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\upevuner.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\solumuki.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ikumulos.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\vomebufi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ifubemov.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. c:\WINDOWS\system32\tekijuze.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\bewudogi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\poruveyo.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Documents and Settings\Owner\Desktop\backups\backup-20081221-160214-988.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Desktop\backups\backup-20081221-160230-474.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Desktop\backups\backup-20081221-161405-839.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Desktop\backups\backup-20081221-161513-680.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Owner\Desktop\backups\backup-20081221-162114-868.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP93\A0011992.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bowuridi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ririwefu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. Here's the HJT log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 20:31, on 2008-12-22 Platform: Windows XP SP3 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\2Wire\2PortalMon.exe C:\HP\KBD\KBD.EXE C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\PROGRA~1\Comodo\CBOClean\BOC427.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [fopugakeli] Rundll32.exe "C:\WINDOWS\system32\boyedoha.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [fopugakeli] Rundll32.exe "C:\WINDOWS\system32\boyedoha.dll",s (User 'NETWORK SERVICE') O4 - Global Startup: AutorunsDisabled O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 9951 bytes
OG- I'm still getting the following 2 alerts from WinPatrol in this order (they pop up every 10-15 minutes it seems for no particular reason that I can determine): I'm also getting several alerts from AntiVir when I boot or leave my PC alone for a while. When I started a new IE session I was able to capture the following alert message: I went ahead and ran HJT again, because I noticed I'd get the message above when I opened the last HJT log. One thing I noticed in the log was a reference to C:\WINDOWS\system32\boyedoha.dll which was listed in one of the original alerts that I remember. I've posting my latest HJT log below: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 06:56, on 2008-12-23 Platform: Windows XP SP3 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\2Wire\2PortalMon.exe C:\HP\KBD\KBD.EXE C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\PROGRA~1\Comodo\CBOClean\BOC427.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [fopugakeli] Rundll32.exe "C:\WINDOWS\system32\boyedoha.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [fopugakeli] Rundll32.exe "C:\WINDOWS\system32\boyedoha.dll",s (User 'NETWORK SERVICE') O4 - Global Startup: AutorunsDisabled O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 9984 bytes
@laynegray, 1. Download Combo fix from one of these locations. * IMPORTANT !!! Place combofix.exe on your Desktop http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe 2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK. 3. Combo will begin to run DO NOTHING while this is happening. • It will kill a few processes and disconnect you from the internet. • If by chance it stops prematurely you can re-establish your internet connection by restarting your computer. • This needs to be done so the program can work most efficiently for you. Do not attempt to use the internet or anything else while it's doing its job for you. **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later. If when it's completed you can not get on the internet just reboot the computer Post the log from comboFix for me located in c:\comboFix.txt and a fresh HJT Log. 2OG
OG Here is ComboFix Log: ComboFix 08-12-23.01 - Owner 2008-12-23 14:04:10.6 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.182 [GMT -6:00] Running from: c:\documents and settings\Owner\desktop\combofix.exe Command switches used :: /killall * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Owner\Application Data\inst.exe c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll c:\windows\emMON.exe c:\windows\IE4 Error Log.txt c:\windows\system32\diyohobe.dll c:\windows\system32\ewipomog.ini c:\windows\system32\heripihe.dll c:\windows\system32\hetepovo.dll c:\windows\system32\iniyiyiv.ini c:\windows\system32\libodame.dll c:\windows\system32\mafuyiha.dll c:\windows\system32\ojosajub.ini c:\windows\system32\towomosa.dll ----- BITS: Possible infected sites ----- hxxp://77.74.48.101 . ((((((((((((((((((((((((( Files Created from 2008-11-23 to 2008-12-23 ))))))))))))))))))))))))))))))) . 2008-12-13 16:33 . 2008-12-13 16:34 <DIR> d-------- c:\documents and settings\Guest\Application Data\VMNTOOLBAR 2008-12-13 16:30 . 2004-04-01 03:03 <DIR> d-------- c:\documents and settings\Guest\WINDOWS 2008-12-13 16:30 . 2004-04-02 17:04 <DIR> d-------- c:\documents and settings\Guest\Application Data\Symantec 2008-12-13 16:30 . 2004-04-01 15:49 <DIR> d-------- c:\documents and settings\Guest\Application Data\SampleView 2008-12-13 16:30 . 2008-12-13 16:31 <DIR> d-------- c:\documents and settings\Guest 2008-12-13 15:01 . 2008-12-13 15:01 2,713 ---hs---- c:\windows\system32\mebasugu.exe 2008-12-07 16:40 . 2008-12-07 16:40 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-12-07 16:40 . 2008-12-07 16:40 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2008-12-07 13:54 . 2008-11-13 15:18 1,221,008 --a------ c:\windows\system32\zpeng25.dll 2008-12-07 13:54 . 2008-11-13 15:18 110,480 --a------ c:\windows\system32\~GLH0022.TMP 2008-12-03 06:22 . 2008-12-03 07:44 <DIR> d-------- c:\program files\DVDFab 5 2008-12-02 22:17 . 2008-12-03 06:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro 2008-12-02 22:16 . 2008-12-02 22:16 <DIR> d-------- c:\program files\LG Software Innovations 2008-12-02 22:16 . 2008-12-03 06:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\Vso 2008-12-02 22:16 . 2008-12-02 22:16 47,360 --a------ c:\windows\system32\drivers\pcouffin.sys 2008-12-02 22:16 . 2008-12-02 22:16 47,360 --a------ c:\documents and settings\Owner\Application Data\pcouffin.sys 2008-12-02 19:09 . 2008-12-02 19:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\HP Product Assistant 2008-11-28 10:27 . 2008-11-28 10:27 674,816 --a------ c:\windows\system32\nse277.dll 2008-11-26 23:59 . 2008-11-26 23:59 <DIR> d-------- c:\documents and settings\Owner\Application Data\Amazon 2008-11-26 23:56 . 2008-11-26 23:56 <DIR> d-------- c:\program files\Amazon . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-23 01:38 --------- d-----w c:\program files\Malwarebytes' Anti-Malware 2008-12-21 22:07 84,020 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_21_16_06_10_small.dmp.zip 2008-12-15 02:33 --------- d-----w c:\documents and settings\Owner\Application Data\vmntoolbar 2008-12-07 21:35 85,510 ----a-w c:\windows\Internet Logs\vsmon_2nd_2008_12_07_15_34_07_small.dmp.zip 2008-12-07 21:18 3,764,035 ----a-w c:\windows\Internet Logs\tvDebug.zip 2008-12-07 21:17 8,704,032 --sha-w c:\windows\system32\drivers\fidbox.dat 2008-12-07 21:17 104,120 --sha-w c:\windows\system32\drivers\fidbox.idx 2008-12-05 12:41 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent 2008-12-04 01:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2008-12-04 01:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys 2008-11-14 18:57 1,487,872 ----a-w c:\windows\Internet Logs\xDB8.tmp 2008-11-12 03:08 --------- d-----w c:\program files\BitComet 2008-11-11 13:40 --------- d-----w c:\program files\uTorrent 2008-11-11 12:27 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent 2008-11-11 01:23 --------- d-----w c:\program files\DNA 2008-11-11 01:23 --------- d-----w c:\program files\BitTorrent 2008-11-11 01:23 --------- d-----w c:\documents and settings\Owner\Application Data\DNA 2008-11-10 14:09 2,846,208 ----a-w c:\windows\Internet Logs\xDB7.tmp 2008-11-07 14:50 2,978,816 ----a-w c:\windows\Internet Logs\xDB5.tmp 2008-11-07 14:50 1,474,560 ----a-w c:\windows\Internet Logs\xDB6.tmp 2008-11-05 14:49 1,471,488 ----a-w c:\windows\Internet Logs\xDB4.tmp 2008-11-04 00:50 --------- d-----w c:\program files\Apple Software Update 2008-11-04 00:24 --------- d-----w c:\program files\iTunes 2008-11-04 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-11-04 00:23 --------- d-----w c:\program files\iPod 2008-11-04 00:23 --------- d-----w c:\program files\Bonjour 2008-11-04 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer 2008-11-04 00:21 --------- d-----w c:\program files\Common Files\Apple 2008-11-03 23:58 --------- d-----w c:\program files\QuickTime 2008-10-31 18:22 1,463,808 ----a-w c:\windows\Internet Logs\xDB3.tmp 2008-10-29 14:29 1,467,392 ----a-w c:\windows\Internet Logs\xDB2.tmp 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-11 18:16 1,431,040 ----a-w c:\windows\Internet Logs\xDB1.tmp 2008-07-15 13:04 322,560 ----a-w c:\program files\mozilla firefox\components\nsBrowserDc.dll 2008-11-28 16:28 640,512 ----a-w c:\program files\mozilla firefox\components\nsdcads.dll 2008-08-04 14:21 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008080420080805\index.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-08-19 1576176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664] "HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472] "HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-27 172032] "ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208] "McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320] "Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-09-15 393216] "KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440] "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328] "BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480] "avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497] "WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-07-04 333120] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-11-13 981904] "VTTimer"="VTTimer.exe" [2004-01-16 c:\windows\system32\VTTimer.exe] "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-04-01 568176] InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-01-30 200704] Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-05-10 282624] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk backup=c:\windows\pss\Billminder.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk backup=c:\windows\pss\HotSync Manager.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk backup=c:\windows\pss\Kodak software updater.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=c:\windows\pss\Updates from HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\2wSysTray] --a------ 2004-09-15 02:52 393216 c:\program files\2Wire\2PortalMon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01] --a------ 2003-07-14 13:30 98304 c:\program files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] --a------ 2003-12-18 01:31 118784 c:\windows\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon] --a------ 2002-04-17 10:42 69632 c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] --a------ 2003-08-19 00:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] --a------ 2006-07-21 16:19 129536 c:\program files\Yahoo!\browser\ybrwicon.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"= c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe "c:\\WINDOWS\\system32\\mshta.exe"= "c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"= "c:\\WINDOWS\\system32\\fxsclnt.exe"= "c:\\Program Files\\Real\\RealOne Player\\realplay.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\WINDOWS\\system32\\ftp.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"= "c:\\Program Files\\Motorola\\Software Update\\msu.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Linksys Wireless-G PCI Network Adapter with SpeedBooster\\WMP54GSv1_1.exe"= "c:\\Program Files\\QuickTime\\QTTask.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3150:UDP"= 3150:UDP:Windows Media Format SDK (IEXPLORE.EXE) "3151:UDP"= 3151:UDP:Windows Media Format SDK (IEXPLORE.EXE) "3152:UDP"= 3152:UDP:Windows Media Format SDK (IEXPLORE.EXE) "7016:TCP"= 7016:TCP:BitComet 7016 TCP "7016:UDP"= 7016:UDP:BitComet 7016 UDP "60069:TCP"= 60069:TCP:BitComet 60069 TCP "60069:UDP"= 60069:UDP:BitComet 60069 UDP R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-01-25 58048] R1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-08-19 8944] R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-08-19 55024] R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-08-19 7408] . Contents of the 'Scheduled Tasks' folder 2008-11-22 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2008-12-18 c:\windows\Tasks\EasyShare Registration Task.job - c:\windows\system32\rundll32.exe [2008-04-13 18:12] 2008-12-23 c:\windows\Tasks\Symantec NetDetect.job - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 16:26] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7 uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" uInternet Settings,ProxyOverride = localhost;*.local uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com IE: &Search FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\vtpphjho.Default User2\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Yoog Search FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ FF - prefs.js: keyword.URL - hxxp://www2.yoog.com/search.php?q= FF - component: c:\program files\Mozilla Firefox\components\nsBrowserDc.dll FF - component: c:\program files\Mozilla Firefox\components\nsdcads.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyGlSh.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\NPZoneSB.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll ATTENTION: FIREFOX POLICES IS IN FORCE FF - user.js: browser.search.selectedEngine - Yoog Search FF - user.js: keyword.URL - hxxp://www2.yoog.com/search.php?q= FF - user.js: keyword.enabled - true . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-23 14:17:45 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySql] "ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe" [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySql] "ImagePath"="C:/xampp/mysql/bin/mysqld-nt.exe" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(852) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe c:\program files\Comodo\CBOClean\BOCore.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe c:\program files\Java\jre1.6.0_07\bin\jucheck.exe . ************************************************************************** . Completion time: 2008-12-23 14:34:14 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-23 20:34:05 Pre-Run: 76,694,327,296 bytes free Post-Run: 78,442,287,104 bytes free 274 --- E O F --- 2008-11-13 09:11:00 Here is latest HJT log: Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 14:54, on 2008-12-23 Platform: Windows XP SP3 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\System32\hphmon05.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\2Wire\2PortalMon.exe C:\HP\KBD\KBD.EXE C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll O3 - Toolbar: VMN Toolbar - {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - C:\PROGRA~1\VMNTOO~1\VMNTOO~1.DLL O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" O4 - HKLM\..\Run: [BOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: AutorunsDisabled O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173294070000 O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: MySql - Unknown owner - C:/xampp/mysql/bin/mysqld-nt.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe -- End of file - 9747 bytes
Looks like it picked up some stuff... It will take me a little time to go through it so, in the meantime let me know how your pc is acting i.e. any problems? 2OG
@laynegray, Are you still getting flags from WinPatrol? It also looks like Yoog Search has taken over for your Google search engine. This is one that I’m not familiar with. From the looks of my searches it may be a bear to get rid of and very well may be what is changing your .REG and .SCR file type associations. There are Trojans that have used .SCR to do their dirty work. Please let me know what is going on with your pc now, so that I can have a target to shoot at. 2OG
OG- I hope you had a Merry Christmas!! I am still getting flags from WinPatrol. I'm also getting the warning windows from AntiVir, similar to what I've previously posted. laynegray
Setvari.dll is a leftover from a Trojan that MBAM removed, your HJT Log doesn’t show it as a starter anymore. Allow Antivir to delete it or search and delete using Windows Explorer. c:\windows\system32\setevari.dll As to the changes to .REG and .SCR that Win Patrol disapproves of, it very well could be a legitimate program making those changes. I would suggest Allow the changes by clicking yes in WinPatrol and then later, if you have problems, you can reverse the situation by running SpyBot S&D and correct them back to original status until you discover what is making the change. 2OG
2OG, As you have graciusly helped me in the past I was wondering if you could have a look at my HJT logfile. The computer freezes intermitintly and I am unable to update adobe, Windows or java. If you could help I would greatly apreciate it. Thanks Fire2701
Hi fire2701, I checked your HJT Log in the other thread and it’s as clean as an Old Maid’s Parlor.. How much RAM do you have? Is your Page File (virtual memory) turned on and set for about 1 ½ times RAM? How much space do you have left on your Hard Drive? Sounds like you may be trying to put 10lbs of stuff in a 5lb bag….. 2OG
@2OG- Thank you again for all of your help!! I've allowed WinPatrol to make changes and have noted no ill effects. I was able to delete the lingering objects that AntiVir was detecting as well. Everything is running smoothly again and just in time for the new year! I hope you had a Merry Christmas and happiest of New Years!! laynegray
