How to UNINSTALL the window anti-virus 2009?

My friend's computer infected with some viruses. I download the AVG and installed in his computer, and I think it works fine.

But there is another anti-virus program that pop-up all the times asking him to register to buy. I think it's the "window security center", which is officially from window and it came with his computer when he bought it. It's says your computer is infected with virus. Anti-Virus 2009, ABC Anti-virus needs an update, get real/full protection now (something like this), and ask him to register.

I tried go to control panel and add/remove program. I saw it on there, but it does not let me uninstall it (once I click on the install/uninstall button, it says "the program has already been installed", at the same time does not give me a choice to uninstall it).

Please suggest the way to turn off this or uninstall it. It pops up all the times almost every time he turns on the Internet. Any advice is grately appreciate. Thank you so much.

 

Hi team59

Here are the instructions for downloading and scanning with Malwarebytes:

Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

Configuring Malwarebytes

• Click on the tab Settings.
• Make sure only these boxes are checked:

Code:

Terminate Internet Explorer
Automatically save and display logfile after removal
Always scan memory objects
Always scan registry objects
Always scan filesystem
Always scan extra and heuristics objects

Updating Malwarebytes

• Click on the tab Update.
• Press the button Check for Updates
• Wait for Malwarebytes to be fully updated.

Scanning Time

• Click on the tab Scanner.
• Check Perform full scan and click on Scan
• Wait for the scan to complete, and then click on Show Results.
• Make sure all items are checked, then click on Remove Selected.
**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

Post A Log

• A text box will pop up after the removal process is over. Post the contents of the text here.
• If no text box pops up, launch Malwarebytes, and click on the tab Logs.
• The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
• Post the log here.

Best Regards

 

• Post the log here.

Malwarebytes' Anti-Malware 1.30
Database version: 1399
Windows 5.1.2600 Service Pack 2

15/11/2008 07:28:57 a.m.
mbam-log-2008-11-15 (07-28-57).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|H:\|)
Objects scanned: 107654
Time elapsed: 23 minute(s), 32 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
C:\Archivos de programa\Antivirus 2009\av2009.exe (Rogue.Antivirus 2009) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\winsrc.dll (Adware.Search Toolbar) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\74227451837380140119866898139275 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Archivos de programa\Antivirus 2009 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\PC\Menú Inicio\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\winsrc.dll (Trojan.BHO) -> Delete on reboot.
C:\Archivos de programa\Antivirus 2009\av2009.exe (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\PC\Menú Inicio\Antivirus 2009\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\PC\Menú Inicio\Antivirus 2009\Uninstall Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\PC\Datos de programa\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\explorer32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ieupdates.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\PC\Escritorio\Antivirus 2009.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.

 

oops.. wrong advice given. jostaxqi, please open a new thread

 

Hi...cdavfrew,

Thank you so much for your kind response. Actually the earlier log (from jostaxqi) was not mine. Maybe the guy had the same problem :d.

Here is the log from my friend's computer. Should I also do the same thing (run the combofix) that you recommended?

Again, really appreciate your help. This is such a great site with lots of kind people....


Malwarebytes' Anti-Malware 1.30
Database version: 1401
Windows 5.1.2600 Service Pack 311/15/2008 7:05:23 PM
mbam-log-2008-11-15 (19-05-23).txtScan type: Full Scan (C:\|)
Objects scanned: 215875
Time elapsed: 2 hour(s), 1 minute(s), 51 second(s)Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 31Memory Processes Infected:
(No malicious items detected)Memory Modules Infected:
(No malicious items detected)Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3ba4271e-5c1e-48e2-b432-d8bf420dd31d} (Rogue.DeusCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xp_antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\25339984827873171405486202040556 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:
(No malicious items detected)Folders Infected:
C:\Program Files\Antivirus 2009 (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\data (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\Microsoft.VC80.CRT (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Somdej.old\Application Data\ultra (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Start Menu\Antivirus 2009 (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandy1_2\Start Menu\Programs\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Start Menu\Programs\XP_Antispyware (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.Files Infected:
C:\Program Files\XP_Antispyware\htmlayout.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1048\A0155647.dll (Rogue.AntivirusPro2009) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2009\av2009.exe (Rogue.Antivirus 2009) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\pthreadVC2.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\XP_Antispyware.cfg (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\data\daily.cvd (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\Microsoft.VC80.CRT\msvcm80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\Microsoft.VC80.CRT\msvcp80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Program Files\XP_Antispyware\Microsoft.VC80.CRT\msvcr80.dll (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Somdej.old\Application Data\ultra\ultra.inf (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Somdej.old\Application Data\ultra\uninstall.bat (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Start Menu\Antivirus 2009\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandy1_2\Start Menu\Programs\XP_Antispyware\Uninstall.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandy1_2\Start Menu\Programs\XP_Antispyware\XP_Antispyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Start Menu\Programs\XP_Antispyware\Uninstall.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Start Menu\Programs\XP_Antispyware\XP_Antispyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\hosts (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.inf (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandy1_2\Desktop\XP_Antispyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Desktop\XP_Antispyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandy1_2\Application Data\Microsoft\Internet Explorer\Quick Launch\XP_Antispyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\XP_Antispyware.lnk (Rogue.XPAntiSpyware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Desktop\Antivirus 2009.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\sandy1_2\Application Data\ejejujej.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Local Settings\Temp\wrdwn4 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Local Settings\Temp\wrdwn5 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sam\Local Settings\Temp\wrdwn7 (Trojan.FakeAlert) -> Quarantined and deleted successfully

 

Oops... sorry team59. I thought that was your log Here are your instructions:

1.
Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.

• When the Recovery Console has been installed, click on Yes to start the scan.


**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.



2.
Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

Rename HijackThis(.exe) to scanner(.exe).

Next, run scanner(.exe). A window will pop up.

• Click on the button which says Main Menu, then Do a system scan and save a logfile.
• Please wait for the scan to be completed.
• After the scan has completed, a text window will pop up. Please post the contents of this window here.

This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.



Things I'll need in your next post:
1. ComboFix log
2. HijackThis log
3. What problems you have left

Best Regards

 

Hi cdavfrew... Thank you again for your help. Like I said, this is my friend's computer, and I won't see him again till next weekend. I will let you know if he still has any problem. But everything seems to be good now. We really appreciate this. Here are the logs:

Combofix

ComboFix 08-11-16.02 - Sam 2008-11-16 16:41:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.508 [GMT -6:00]
Running from: c:\documents and settings\Sam\Combo-Fix.exe
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.c:\documents and settings\Guest.SUGAR1\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\Guest.SUGAR1\ravmonlog
c:\documents and settings\Nina\ravmonlog
c:\documents and settings\Sam\Application Data\inst.exe
c:\documents and settings\Sam\ravmonlog
c:\documents and settings\Sandy1.old\ravmonlog
c:\documents and settings\sandy1_2\Cookies\nomiso.scr
c:\documents and settings\sandy1_2\Cookies\ykeryr.dl
c:\documents and settings\sandy1_2\Local Settings\Temporary Internet Files\fofi.sys
c:\documents and settings\sandy1_2\Local Settings\Temporary Internet Files\tozixezaq._sy
c:\documents and settings\sandy1_2\ravmonlog
c:\documents and settings\Somdej.old\ravmonlog
c:\documents and settings\Somdej1\ravmonlog
C:\UWA7P
c:\windows\IE4 Error Log.txt
c:\windows\system32\_003590_.tmp.dll
c:\windows\system32\_003591_.tmp.dll
c:\windows\system32\_003592_.tmp.dll
c:\windows\system32\_003593_.tmp.dll
c:\windows\system32\_003600_.tmp.dll
c:\windows\system32\_003601_.tmp.dll
c:\windows\system32\_003602_.tmp.dll
c:\windows\system32\_003603_.tmp.dll
c:\windows\system32\_003605_.tmp.dll
c:\windows\system32\_003606_.tmp.dll
c:\windows\system32\_003609_.tmp.dll
c:\windows\system32\_003610_.tmp.dll
c:\windows\system32\_003612_.tmp.dll
c:\windows\system32\_003613_.tmp.dll
c:\windows\system32\_003614_.tmp.dll
c:\windows\system32\_003616_.tmp.dll
c:\windows\system32\_003619_.tmp.dll
c:\windows\system32\_003620_.tmp.dll
c:\windows\system32\_003624_.tmp.dll
c:\windows\system32\_003625_.tmp.dll
c:\windows\system32\_003627_.tmp.dll
c:\windows\system32\_003630_.tmp.dll
c:\windows\system32\_003632_.tmp.dll
c:\windows\system32\_003633_.tmp.dl l
c:\windows\system32\_003634_.tmp.dll
c:\windows\system32\_003635_.tmp.dll
c:\windows\system32\_003636_.tmp.dll
c:\windows\system32\_003639_.tmp.dll
c:\windows\system32\_003640_.tmp.dll
c:\windows\system32\_003641_.tmp.dll
c:\windows\system32\_003642_.tmp.dll
c:\windows\system32\_003643_.tmp.dll
c:\windows\system32\_003648_.tmp.dll
c:\windows\system32\_003650_.tmp.dll
c:\windows\system32\_003651_.tmp.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\bszip.dll.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.2008-11-16 16:34 . 2008-11-16 16:35 <DIR> d-------- C:\ComboFix
2008-11-16 16:34 . 2008-11-16 16:35 3,047,373 -ra------ c:\documents and settings\Sam\Combo-Fix.exe
2008-11-15 15:37 . 2008-11-15 15:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 15:37 . 2008-11-15 15:37 <DIR> d-------- c:\documents and settings\Sam\Application Data\Malwarebytes
2008-11-15 15:37 . 2008-11-15 15:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-15 15:37 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 15:37 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-12 13:51 . 2008-10-24 05:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 13:50 . 2008-09-04 11:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-01 22:53 . 2008-11-15 17:20 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-01 22:49 . 2008-11-16 16:51 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-01 22:49 . 2008-11-01 22:49 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-01 22:49 . 2008-11-01 22:49 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-11-01 22:49 . 2008-11-01 22:49 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-11-01 22:48 . 2008-11-01 22:48 <DIR> d-------- c:\program files\AVG
2008-11-01 22:48 . 2008-11-01 22:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-01 22:40 . 2008-11-01 22:40 <DIR> d-------- c:\documents and settings\Sam\Application Data\Windows Live Writer
2008-11-01 00:33 . 2008-11-01 00:33 18,627 --a------ c:\windows\system32\peser.pif
2008-11-01 00:33 . 2008-11-01 00:33 18,374 --a------ c:\documents and settings\All Users\Application Data\oluduboni.bin
2008-11-01 00:33 . 2008-11-01 00:33 17,850 --a------ c:\documents and settings\sandy1_2\Application Data\upocake.pif
2008-11-01 00:33 . 2008-11-01 00:33 16,888 --a------ c:\windows\system32\ujyp.com
2008-11-01 00:33 . 2008-11-01 00:33 16,792 --a------ c:\documents and settings\sandy1_2\Application Data\alojynoxa.bin
2008-11-01 00:33 . 2008-11-01 00:33 14,053 --a------ c:\program files\Common Files\rewa.dll
2008-11-01 00:33 . 2008-11-01 00:33 13,250 --a------ c:\windows\mefop.lib
2008-11-01 00:33 . 2008-11-01 00:33 11,714 --a------ c:\windows\system32\ytipomec._dl
2008-10-24 07:45 . 2008-10-15 10:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-02 04:57 --------- d-----w c:\documents and settings\All Users\Application Data\GTek
2008-11-02 04:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-01 06:33 18,350 ----a-w c:\program files\Common Files\esih.ban
2008-11-01 06:33 12,065 ----a-w c:\program files\Common Files\xihu.ban
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 22:52 --------- d-----w c:\documents and settings\Sam\Application Data\Vso
2008-10-13 00:54 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-10-12 00:22 47,360 ----a-w c:\documents and settings\Sam\Application Data\pcouffin.sys
2008-10-10 04:08 72,368 ----a-w c:\documents and settings\Sam\Application Data\GDIPFONTCACHEV1.DAT
2008-10-08 04:55 --------- d-----w c:\documents and settings\Sam\Application Data\Viewpoint
2008-10-05 05:29 --------- d-----w c:\program files\Common Files\Sonic Shared
2008-10-05 05:27 --------- d-----w c:\program files\Picture It! Premium 10
2008-10-05 05:24 --------- d-----w c:\program files\MSN Games
2008-10-05 01:27 --------- d-----w c:\documents and settings\Somdej1\Application Data\Ahead
2008-10-05 00:38 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-09-29 02:10 --------- d-----w c:\documents and settings\Sam\Application Data\Ahead
2008-09-28 21:17 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2008-09-28 21:13 --------- d-----w c:\program files\Common Files\LightScribe
2008-09-28 21:11 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-09-28 21:10 --------- d-----w c:\program files\Common Files\Ahead
2008-09-28 21:06 --------- d-----w c:\program files\Nero
2008-09-28 21:06 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-09-16 06:23 --------- d-----w c:\program files\EA GAMES
2008-09-16 04:31 --------- d-----w c:\program files\Windows Live
2008-09-16 04:20 0 ----a-w c:\documents and settings\Somdej1\Application Data\wklnhst.dat
2008-04-28 04:48 352 -c--a-w c:\documents and settings\Sam\Application Data\wklnhst.dat
2008-04-07 05:08 668 -c--a-w c:\documents and settings\Nina\Application Data\wklnhst.dat
2008-04-07 03:53 71,984 ----a-w c:\documents and settings\Nina\Application Data\GDIPFONTCACHEV1.DAT
.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-11-16 67128]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-10 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 451872]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"PRISMSVR.EXE"="c:\windows\system32\PRISMSVR.EXE" [2004-04-13 290905]
"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-10-31 284184]
"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-11-15 244512]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-04 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-01 1234712]c:\documents and settings\Sam\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]c:\documents and settings\All Users\Start Menu\Programs\Startup\
2Wire Wireless Client.lnk - c:\program files\2Wire 802.11g Wireless\PRISMCFG.EXE [2007-05-02 335979][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
--a------ 2007-11-16 16:50 67128 c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2006-11-15 20:58 746520 c:\program files\Logitech\QuickCam10\QuickCam10.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-08-04 16:08 98304 c:\program files\QuickTime\qttask.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 16:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\\system32\\sessmgr.exe"=R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-01 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-01 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-01 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-01 76040]
R3 WlanUIG;2Wire 802.11g USB Driver;c:\windows\system32\DRIVERS\WlanUIG.sys [2007-05-02 347648][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder2008-11-16 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]2008-11-14 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-09-18 23:42]2007-09-06 c:\windows\Tasks\Registry First Aid autoscan.job
- c:\program files\RFA\reg1aid.exe []2007-09-06 c:\windows\Tasks\Registry First Aid autoscan.job
- c:\program files\RFA []
.
- - - - ORPHANS REMOVED - - - -MSConfigStartUp-ISUSPM Startup - c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe **************************************************************************catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 16:49:29
Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully
hidden files: 0**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\windows\system32\drivers\KodakCCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\ScsiAccess.EXE
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
.
**************************************************************************
.
Completion time: 2008-11-16 16:58:51 - machine was rebooted [Sam]
ComboFix-quarantined-files.txt 2008-11-16 22:58:45Pre-Run: 12,665,335,808 bytes free
Post-Run: 13,974,777,856 bytes free229 --- E O F --- 2008-11-13 06:00:28


Hijack


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:44 PM, on 11/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\2Wire 802.11g Wireless\PRISMCFG.EXE
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 3 for scanner.zip\HijackThis.exe
C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 1 for scanner.zip\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [LDM] "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: 2Wire Wireless Client.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE--
End of file - 8661 bytes

 

Hey team59

Just looks like your friend's computer got infected with one of the nasties going around... easy to remove, but leaves lots of traces. Next time you get the computer back, you can do these instructions:

1.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

Open Notepad and copy/paste the text in the code box below into it:

Code:

File::
c:\windows\system32\peser.pif 
c:\documents and settings\All Users\Application Data\oluduboni.bin 
c:\documents and settings\sandy1_2\Application Data\upocake.pif 
c:\windows\system32\ujyp.com 
c:\documents and settings\sandy1_2\Application Data\alojynoxa.bin 
c:\program files\Common Files\rewa.dll 
c:\windows\mefop.lib 
c:\windows\system32\ytipomec._dl 
c:\program files\Common Files\xihu.ban 
c:\program files\Common Files\esih.ban 
c:\documents and settings\Somdej1\Application Data\wklnhst.dat 
c:\documents and settings\Sam\Application Data\wklnhst.dat 
c:\documents and settings\Nina\Application Data\wklnhst.dat

• Save this as CFScript.txt in the same folder as ComboFix.
• Then drag the CFScript.txt into Combo-Fix.exe.
• This will start ComboFix again. After reboot, (in case it asks to reboot), post the ComboFix log here. The log will be located at C:\ComboFix(.txt).

Do not click on the ComoboFix window, as it may cause it to stall.



2.
Please run HijackThis.

• Click on the button which says Main Menu, then Do a system scan only.
• Please wait for the scan to be completed.
• After the scan has completed, check the following entries.

Code:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost 
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) 
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Click on the button Fix checked

NOTE:: Close all browsers before fixing anything.



3.
Find C:\Qoobox and zip it up. Upload the zip file to http://www.uploadmalware.com/

Things I'll need in your next post:
1. ComboFix log

Best Regards

 

Hell cdavfrew, I will try to get those logs to you this weekend. In between, this might be a stupid question (I am embarrassed), how do I zip and unzip the file, what is the purpose of doing it? I have heard many people talk about this, but haven't got a chance to lay my hands on. Thank you so much.

 

try this if you are having problems my friend figured it out.(If any1 still needs help out there)

Put this file on your thumb drive: http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

Next computer you have with a stubborn av2009, try these steps:

1. If you haven't already, or are having troubles even booting into Windows, still go into safe mode and use msconfig to disable the "brastk, av2009, antiviruspro2009, etc." start up entries

2. Restart the computer and let Windows load normally.

3. AV2009 may or may not start, I don't think it matters either way. Plug in your thumb drive and navigate to wherever you stored the file

4. Try running the setup normally, it may work, it may not. If it works, skip to step 6.

5. If it doesn't work, right click the setup file and click copy. Then just paste it right back into that folder (keep it named "copy of..."). Now try running it, this part is where my idea either lives or dies, for all 3 of the computes I tried it on tonight, this worked (if it didn't before).

6. Go through the setup process, don't change any options, unless it is unable to update (hasn't happened to me yet).

7. Navigate to where the program installed (C:/Program Files/Malwarebytes' Anti-Malware/) and try running mbam.exe. Odds are, it won't work.

8. Right click mbam.exe and click copy. Then paste it right back into that folder (keep it named "Copy of...").

9. Now try running it, if my idea is still living, it should work okay. Do a quick scan.

10. Hopefully, the program should catch a good number of entries, including the av2009 program files folder, and label them as "rogue.antivirus2008" or "fraud...", etc. Remove it and restart.

 

Thanks for your concern, 2xaron, but it's all fine here, I believe.

Hey team59

There is no dumb question.

Here are some websites you can read about zip files.

Introduction to zip files:
http://netforbeginners.about.com/od/downloadingfiles/f/faq_zip1.htm

How to zip and unzip files:
http://it.cas.psu.edu/Training/HowTo/ENComputers/zip.html

Best Regards

 

Ya not sure how long ago other people got this but it just hit my school from a website called juicycampus.com

 

Hey 2xaron

Hmm... that's odd. JuicyCampus.com which even though pushes the limits of free speech, is not one to break the limit of secure computing. But then again, malware can infect sites. Safe surfing is the only way.

Read here for some information on software to get to secure your browser:
http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I

Best Regards

 

Hi cdavfrew, Thank you so much for all your helps. I learned a lot from you. I wasn't able to get the computer from my friend this past weekend, and it won't be until one week after Thanksgiving. I will try to post then. Have a nice holidays & Happy Thanksgiving ! ! !

 

Happy Thanksgiving to you too, team59!!!

 

Hi cdavfrew,

I was hit with this bugger too! I downloaded the malware & am currently running the scan. I'm embarrased to say I don't know how to ensure all of the security measures are turned off before I embark on the next part, but I will post the log here when it's finished. Thank you in advance for any further help you may be able to supply. This site is amazing.

 

Hi again,

Here's the Malware Log:

Malwarebytes' Anti-Malware 1.30
Database version: 1424
Windows 5.1.2600 Service Pack 3

11/26/2008 7:01:16 AM
mbam-log-2008-11-26 (07-01-16).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 114041
Time elapsed: 39 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yunudido.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\roguhono.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\balozufe.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\dijuvazi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bepanoto.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5df7890c-9294-4e7b-b961-29cc4906d185} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5df7890c-9294-4e7b-b961-29cc4906d185} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5df7890c-9294-4e7b-b961-29cc4906d185} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\320d18a1 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rirawapola (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm313e2b3d (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\dijuvazi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\dijuvazi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\bepanoto.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\bepanoto.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\bepanoto.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yunudido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odidunuy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\balozufe.dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\roguhono.dll (Trojan.Vundo) -> Delete on reboot.
c:\WINDOWS\system32\dijuvazi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bepanoto.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\~.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\dosoyahe.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nukiyofi.dll (Trojan.Vundo) -> Delete on reboot.

I was prompted to reboot & after doing so received 2 error messages saying roguhono & dosoyahe (I think those were the two) were not found. Was that supposed to happen?

Thanks again for any help!

 

Hi damndamn

This is perfectly normal.

Now, please download ComboFix.
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it. Save it to your Desktop.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.

• Run Combo-Fix.exe and follow the prompts.
• Accept the End-User License Agreement.
• Allow the Recovery Console to be installed.
• When you see the window below, click on Yes.

• When the Recovery Console has been installed, click on Yes to start the scan.


**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be fully completed.
• If it requires a reboot, please do so.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

Haha... why would you think this site is amazing?

Best Regards

 

Good Morning cdavfrew!

This site is amazing because I'm techno challenged & there's just SO much info & wonderful people such as yourself who take the time to help those of us whom are ready to pull our hair out So thanks!

Here's the Combo-Fix log:

ComboFix 08-11-26.03 - Laura 2008-11-26 11:01:19.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1036 [GMT -5:00]
Running from: c:\documents and settings\Laura\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Laura\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\Laura\LOCALS~1\Temp\tmp2.tmp
c:\windows\IE4 Error Log.txt
c:\windows\system32\autorun.ini
c:\windows\system32\ifoyikun.ini

.
((((((((((((((((((((((((( Files Created from 2008-10-26 to 2008-11-26 )))))))))))))))))))))))))))))))
.

2008-11-26 07:09 . 2008-11-26 07:09 <DIR> d--hs---- C:\FOUND.029
2008-11-26 06:15 . 2008-11-26 06:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-26 06:15 . 2008-11-26 06:15 <DIR> d-------- c:\documents and settings\Laura\Application Data\Malwarebytes
2008-11-26 06:15 . 2008-11-26 06:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 06:15 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-26 06:15 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-25 23:03 . 2008-11-25 23:03 <DIR> d--hs---- C:\FOUND.028
2008-11-17 21:45 . 2008-11-17 21:45 <DIR> d--hs---- C:\FOUND.027
2008-11-11 14:58 . 2008-10-24 06:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 14:57 . 2008-09-04 12:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-10-27 21:48 . 2008-08-14 06:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-27 21:48 . 2008-08-14 06:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-27 21:48 . 2008-08-14 05:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-27 21:48 . 2008-08-14 05:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-27 21:48 . 2008-09-15 08:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys
2008-10-27 21:48 . 2008-10-15 12:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-27 21:48 . 2008-09-08 06:41 333,824 --------- c:\windows\system32\dllcache\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-24 06:52 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-03 18:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 13:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-27 09:24 3,593,216 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-02-13 20:02 4,947 ----a-w c:\program files\BBVReadme.txt
2008-02-13 19:50 212,992 ----a-w c:\program files\BBViewer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-11-30 4662776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-07 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-07 688218]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PCMService"="c:\program files\Arcade\PCMService.exe" [2005-03-09 49152]
"LManager"="c:\program files\Launch Manager\QtZgAcer.EXE" [2005-03-28 315392]
"eRecoveryService"="c:\windows\System32\Check.exe" [2005-03-23 245760]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"CTSysVol"="c:\program files\Creative\SBLive 24-Bit External\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2008-02-07 718704]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"Corel Photo Downloader"="c:\program files\CVS\CVS Photo Editor Plus\Corel Photo Downloader.exe" [2007-02-06 478800]
"SoundMan"="SOUNDMAN.EXE" [2005-02-23 c:\windows\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-07 c:\windows\AGRSMMSG.exe]
"SiSPower"="SiSPower.dll" [2005-02-25 c:\windows\system32\SiSPower.dll]
"SbUsb AudCtrl"="sbusbdll.dll" [2004-07-08 c:\windows\system32\sbusbdll.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-03-07 331776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\dosoyahe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-01-25 149864]
R3 int15.sys;int15.sys;\??\c:\program files\acer\eRecovery\int15.sys [2006-03-19 69632]
R3 SISNICXP;SiS PCI Fast Ethernet Adapter Driver for NDIS51;c:\windows\system32\DRIVERS\sisnicxp.sys [1980-01-01 32768]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
S3 sbusb;Sound Blaster USB Audio Driver;c:\windows\system32\DRIVERS\sbusb.sys [2006-11-22 1643648]

*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Laura.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Laura\Application Data\Mozilla\Firefox\Profiles\0sm864cn.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-26 11:02:16
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-26 11:02:39
ComboFix-quarantined-files.txt 2008-11-26 16:02:38

Pre-Run: 27,494,875,136 bytes free
Post-Run: 29,070,229,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

149 --- E O F --- 2008-11-12 06:31:44

Also, that "Fat 32" has been causing me problems for a while (computer shuts down whenever it damn well feels like it; typically when I'm watching a tv show or clip of something online), do you think this was related? Just curious.

Best,
Laura