You may cancel your Bitdefender subscription from Bitdefender Central or by contacting Customer Support at: https://www.bitdefender.com/consumer/support/help/
Thank you for your understanding.
Nt_kernet Error 1256
I see to be one of many people with the same error message appearing. I believe that your suggestion is to download Hijackthis and send you the logs so that you can see what is happening. I have literally hundreds of those pos...tmp files in my documents folder. I hate when things go wrong with my computer. It makes me sick to the stomach to fix them. But it is my main computer that is suffering with the Vundo, I believe you called it. Please advise me on the next course of action. The computer hangs badly, and will not actually do much when you ask for Restart. All I get is the wallpaper picture, no icons or anything. Help!!
Comments
-
This is my Hijackthis logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:27:47 PM, on 06/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Windows\System32\svchost.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\AOL\1135974044\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1135974044\ee\AOLServiceHost.exe
C:\Documents and Settings\Kathy's Funtime\Desktop\moon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SEENUS020100/FRWCompleteAddIns
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! Canada
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
R3 - URLSearchHook: (no name) - {1CFFA392-0898-4b1c-89D1-6E98F9D8EF78} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ce214d63-ff4d-4918-9dd4-b40715a022a1} - {1a220a51-704b-4dd9-8194-d4ff36d412ec} - C:\Windows\system32\snhioqwa.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: (no name) - {2860C741-8F63-45DA-B029-2B4B148AC499} - C:\Windows\system32\mljhedc.dll
O2 - BHO: (no name) - {2F0A26C4-3E37-4868-8DB8-D52C1798ECF6} - C:\Windows\system32\ssqro.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\Windows\system32\andkkvls.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration740.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [updateManager] C:\Program Files\Common Files\Microsoft Shared\TextConv\wmupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: AIM 6.0.lnk = C:\Program Files\AIM6\aim6.exe
O4 - Global Startup: MSN Messenger 7.5.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WeatherEye.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Yahoo! Messenger with Voice (2).lnk = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {6A029EAC-2A52-475F-B8FE-AF3186EA3D03} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O20 - Winlogon Notify: andkkvls - C:\Windows\SYSTEM32\andkkvls.dll
O20 - Winlogon Notify: mljhedc - C:\Windows\SYSTEM32\mljhedc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 13102 bytes0 -
Hi,
You are obviously in a very difficult situation. Do you have a firewall? Please do the following.
Step 1.
Before removing anything please make a copy of these files (the virus researchers may want to look at those files):
C:\Windows\system32\snhioqwa.dll
C:\Windows\system32\mljhedc.dll
C:\Windows\system32\ssqro.dll
C:\Windows\system32\andkkvls.dll
1. Archive it password protected (rar, 7.zip, etc.). Use infected as password.
2. Post it as attachment (use browse, give the path to the archive, press green UPLOAD button).
You may read more here about how to archive: Virus Submission
Note: The files may be hidden. You have to unhide the files in order to make a copy.
Step 2.
Download VundoFix by Atribune to your desktop.- Double-click VundoFix.exe to run it.
- When VundoFix opens, click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot.
Step 3.
Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) from here: http://java.sun.com/javase/downloads/index.jsp
Remove old Java versions due to serious security vulnerability (specially for Vundo family malware):
But don't install it yet.
Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name and remove the folders from program files.
Reboot once all Java components are removed.
Step 4.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button
Step 5.
Reboot and make a fresh Hijackthis log and copy and paste the log along with the copy of Vundofix log (C:\vundofix.txt).0 -
Hi,
You are obviously in a very difficult situation. Do you have a firewall? Please do the following.
Step 1.
Before removing anything please make a copy of these files (the virus researchers may want to look at those files):
C:\Windows\system32\snhioqwa.dll
C:\Windows\system32\mljhedc.dll
C:\Windows\system32\ssqro.dll
C:\Windows\system32\andkkvls.dll
1. Archive it password protected (rar, 7.zip, etc.). Use infected as password.
2. Post it as attachment (use browse, give the path to the archive, press green UPLOAD button).
You may read more here about how to archive: Virus Submission
Note: The files may be hidden. You have to unhide the files in order to make a copy.
Step 2.
Download VundoFix by Atribune to your desktop.- Double-click VundoFix.exe to run it.
- When VundoFix opens, click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot.
Step 3.
Download the latest version of JRE (Java Runtime Environment (JRE) 6 Update 4) from here: http://java.sun.com/javase/downloads/index.jsp
Remove old Java versions due to serious security vulnerability (specially for Vundo family malware):
But don't install it yet.
Go to control panel -add/remove programs – uninstall/remove all the old versions of Java, or any item with Java (JRE or J2SE) in the name and remove the folders from program files.
Reboot once all Java components are removed.
Step 4.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button
Step 5.
Reboot and make a fresh Hijackthis log and copy and paste the log along with the copy of Vundofix log (C:\vundofix.txt)./applications/core/interface/file/attachment.php?id=1437" data-fileid="1437" rel="">Infected.rar
0 -
Step 6.
1.Go to My documents folder and remove the *.tmp files manually. To do that highlight them all (select the first .tmp file- hold down Shift and scroll down to the last .tmp and highlight/select the last .tmp) and delete them using Shift+Del to bypass the Recycle bin.
2. Additional check:*Go to start-search-clickall files and folders
*Clickmore advanced optionsand check: search system folders,search hidden files and foldersandsearch subfolders
*Type p*.tmp if there more of those files in other places remove them manually.0 -
Sorry, I sent the RAR file before answering your question about a firewall. Well, yes I do, which makes the situation even more perplexing for me. I also run McAfee Enterprise, which usually catches any and everyting coming in. Nothing like computers to keep you busy!
0 -
Sorry, I sent the RAR file before answering your question about a firewall. Well, yes I do, which makes the situation even more perplexing for me. I also run McAfee Enterprise, which usually catches any and everyting coming in. Nothing like computers to keep you busy!
What do I do if VundoFix can't remove a file? The computer is on its third reboot, with VundoFix saying that it cannot remove mljhedc.dll?0 -
Sorry, I sent the RAR file before answering your question about a firewall. Well, yes I do, which makes the situation even more perplexing for me. I also run McAfee Enterprise, which usually catches any and evrything coming in. Nothing like computers to keep you busy!
No problem.
1.You may check the Internet traffic of the firewall and look for, note, report and remove allowed suspicious entries.
2. after removal of vundo go to Internet options-tools- and set your privacy setting to default. It is usually lowered by the malware.
I edit this to answer your question. Let Vundofix run, it should stop after a few times running. But after say 5 times running if it did not stop you stop it and report back with both mentioned logs.0 -
What do I do if VundoFix can't remove a file? The computer is on its third reboot, with VundoFix saying that it cannot remove mljhedc.dll?
So VundoFix couldn't remove that file, so I tried to delete it manually. It wouldn't let me, so I renamed the extension .xxx and hid it in a series of folders. I performed the instructed tasks, and found 2500 .tmp files in My Documents. Then I found copies of the same files in My Computer, and deleted those as well, using Shift + Delete. I am including the VundoFix and the HijackThis files of the last scans. I also found some interesting files in My Computer. Their names are sqmdata01.sqm, and up in numbers, and sqmnoopt01.sqm. Do you have any idea what these are? I have never seen them before. To be safe, I isolated them in a folder, but would like advice on whether they are harmful or not. I suppose it is now safe to install the Java?
HijackThis logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:20 PM, on 06/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\System32\svchost.exe
C:\Documents and Settings\Kathy's Funtime\Desktop\moon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SEENUS020100/FRWCompleteAddIns
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! Canada
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
R3 - URLSearchHook: (no name) - {1CFFA392-0898-4b1c-89D1-6E98F9D8EF78} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ce214d63-ff4d-4918-9dd4-b40715a022a1} - {1a220a51-704b-4dd9-8194-d4ff36d412ec} - C:\Windows\system32\snhioqwa.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: (no name) - {2860C741-8F63-45DA-B029-2B4B148AC499} - C:\Windows\system32\mljhedc.dll (file missing)
O2 - BHO: (no name) - {3BF2E79B-2613-4AB0-A4C3-0D2DD989E098} - C:\Windows\system32\ssqro.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration740.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKLM\..\Policies\Explorer\Run: [updateManager] C:\Program Files\Common Files\Microsoft Shared\TextConv\wmupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: AIM 6.0.lnk = C:\Program Files\AIM6\aim6.exe
O4 - Global Startup: MSN Messenger 7.5.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WeatherEye.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Yahoo! Messenger with Voice (2).lnk = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {6A029EAC-2A52-475F-B8FE-AF3186EA3D03} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 12369 bytes
VundoFix Logs:
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.10
Scan started at 6:09:52 PM 06/02/2008
Listing files found while scanning....
C:\windows\system32\andkkvls.dll
C:\windows\system32\andkkvls.dllbox
C:\windows\system32\mljhedc.dll
C:\windows\system32\mljhgdb.dll
C:\windows\system32\wvustsr.dll
Beginning removal...
Attempting to delete C:\windows\system32\andkkvls.dll
C:\windows\system32\andkkvls.dll Has been deleted!
Attempting to delete C:\windows\system32\andkkvls.dllbox
C:\windows\system32\andkkvls.dllbox Has been deleted!
Attempting to delete C:\windows\system32\mljhedc.dll
C:\windows\system32\mljhedc.dll Could not be deleted.
Attempting to delete C:\windows\system32\mljhgdb.dll
C:\windows\system32\mljhgdb.dll Has been deleted!
Attempting to delete C:\windows\system32\wvustsr.dll
C:\windows\system32\wvustsr.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljhedc.dll
C:\windows\system32\mljhedc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.10
Scan started at 6:36:03 PM 06/02/2008
Listing files found while scanning....
C:\windows\system32\mljhedc.dll
Beginning removal...
Attempting to delete C:\windows\system32\mljhedc.dll
C:\windows\system32\mljhedc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljhedc.dll
C:\windows\system32\mljhedc.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Thank you for all your help. You are truly a tech god! How do you know all this stuff?? Anyway, everything seems to be working OK now. I was able to delete those Windows Update and Help and Support icons from the desktop, and the computer has its speed back. Let me know if there is more for me to do as a result of the log entries.0 -
I usually appreciate improvisation if it works, in this case I am not sure. So I want to ask you to delete dat .xxx file. If you could not delete it rename it to its original name put it where it was and go on with the following step:
Please run VundoFix again:
At the Main window Right Click in the Open Box and Select Add More Files
A second window will open Copy and paste the first 6 following lines into the first 6 lines, Select Add Files
Then Close Window, again the main window Right Click in the Open Box and Select Add More Files and enter the rest.
C:\Windows\system32\mljhedc.*
C:\Windows\system32\cljhedm.*
C:\Windows\SYSTEM32\andkkvls.*
C:\Windows\SYSTEM32\slvkkdna.*
C:\Windows\system32\orqss.*
C:\Windows\system32\osqrs.*
C:\Windows\system32\snhioqwa.*
C:\Windows\system32\awqoihns*
C:\Windows\system32\anhioqws.*
C:\Windows\system32\cdehjlm.*
C:\Windows\SYSTEM32\slvkkdna.*
C:\Windows\system32\ssqro.*
Select Add Files
Then Close Window- Click the Remove Vundo button. Do not click the Scan for Vundo Button
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
0 - Click the Remove Vundo button. Do not click the Scan for Vundo Button
-
...So I want to ask you to delete dat .xxx file. If you could not delete it rename it to its original name put it where it was and go on with the following step:
To be sure you don't get to trouble if you have not deleted the file, put it back and let Vundofix do the job and make registry adjustment if needed. I see the result tomorrow.0 -
I just wanted to remind you the following:
No problem.
1.You may check the Internet traffic of the firewall and look for, note, report and remove allowed suspicious entries.
2. after removal of vundo go to Internet options-tools- and set your privacy setting to default. It is usually lowered by the malware.
I edit this to answer your question. Let Vundofix run, it should stop after a few times running. But after say 5 times running if it did not stop you stop it and report back with both mentioned logs.0 -
I just wanted to remind you the following:
I reset the Internet Options to default. You were right, the setting was at the lowest. It is now at default, which is medium. I did everything you suggested. Sorry it took so long, but I am in Canada, and we are hours apart!! I went to bed! Here are the logs of the last VundoFix and the HijackThis logs. I was able to delete the mljhedc.dll that I had renamed mljhedc.xxx. Once it was renamed, it allowed me to delete it. Anyway, here are the logs. And thank you again. I await your further instructions, if there are any more.
VundoFix logs:
Beginning removal...
Performing Repairs to the registry.
Done!
Not very long!!
HijackThis logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:32 AM, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\System32\svchost.exe
C:\Program Files\PcBugDoctor\PcBugDoctor.exe
C:\Documents and Settings\Kathy's Funtime\Desktop\Desktop Stuff2\Computer Mess\moon.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SEENUS020100/FRWCompleteAddIns
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! Canada
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
R3 - URLSearchHook: (no name) - {1CFFA392-0898-4b1c-89D1-6E98F9D8EF78} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {ce214d63-ff4d-4918-9dd4-b40715a022a1} - {1a220a51-704b-4dd9-8194-d4ff36d412ec} - C:\Windows\system32\snhioqwa.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: (no name) - {2860C741-8F63-45DA-B029-2B4B148AC499} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A028B4C7-6665-47E0-BF42-936D8D212303} - C:\Windows\system32\ssqro.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration740.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [updateManager] C:\Program Files\Common Files\Microsoft Shared\TextConv\wmupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: AIM 6.0.lnk = C:\Program Files\AIM6\aim6.exe
O4 - Global Startup: MSN Messenger 7.5.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WeatherEye.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Yahoo! Messenger with Voice (2).lnk = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {6A029EAC-2A52-475F-B8FE-AF3186EA3D03} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 12618 bytes
Also, I am running only the Windows firewall. Obviously, this is not doing a good enough job. Are there any free firewalls that you could suggest instead of the Windows one?0 -
The privacy setting is not the point now. Every time you reboot it is lowered again as long as your computer is infected.
The firewall was important. But we have to do it without it. You ask about the free firewall. You can google about that what you need is a firewall with Internet traffic control.
Obviously something is preventing Vundofix to do the job. It may be the AV realtime protection, or Ad-Aware that is why I would like you to take it into account when using combofix.
Step 1.
Delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
Step2.- Download ComboFix.exe to your desktop using this link:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
- Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post. - ComboFix may need to reboot to finish its work. Let it.
- Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Combofix should not take more than 20 minutes if malware is detected.If it does, open task-manager (press ctrl+alt+del) select and end any processes of findstr.exe, find.exe, send.exe or swreg.exe, then combofix should continue.
Reboot and make a fresh HJT log and post it along with the combofix log.0 -
The privacy setting is not the point now. Every time you reboot it is lowered again as long as your computer is infected.
The firewall was important. But we have to do it without it. You ask about the free firewall. You can google about that what you need is a firewall with Internet traffic control.
Obviously something is preventing Vundofix to do the job. It may be the AV realtime protection, or Ad-Aware that is why I would like you to take it into account when using combofix.
Step 1.
Delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
Step2.- Download ComboFix.exe to your desktop using this link:
- Close any open browsers.
- Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.
- Double click on combofix.exe to run the programme & then follow the prompts.
When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post. - ComboFix may need to reboot to finish its work. Let it.
- Note:Do not mouseclick combofix's window while it's running. That may cause it to stall
Combofix should not take more than 20 minutes if malware is detected.If it does, open task-manager (press ctrl+alt+del) select and end any processes of findstr.exe, find.exe, send.exe or swreg.exe, then combofix should continue.
Reboot and make a fresh HJT log and post it along with the combofix log.
I did everything that you instructed. Here are the new logs.
HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:13 AM, on 08/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal
Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1135974044\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1135974044\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1135974044\ee\AOLServiceHost.exe
C:\Documents and Settings\Kathy's Funtime\Desktop\Desktop Stuff2\Computer Mess\moon.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SEENUS020100/FRWCompleteAddIns
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~2\COPERN~1.DLL
R3 - URLSearchHook: (no name) - {1CFFA392-0898-4b1c-89D1-6E98F9D8EF78} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DgnWebIE - {2843DAC1-05EF-11D2-95BA-0060083493D6} - C:\Program Files\Dragon Systems\NaturallySpeaking\Program\web_ie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Copernic Desktop Search - {C5F7A735-70F1-477F-8C36-6FF3C736017B} - C:\Program Files\Copernic Desktop Search\CopernicDesktopSearchIntegration740.dll
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [updateManager] C:\Program Files\Common Files\Microsoft Shared\TextConv\wmupdate.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Global Startup: MSN Messenger 7.5.lnk = C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: WeatherEye.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS2.05.0001.1119\en-us\bin\WindowsSearch.exe
O4 - Global Startup: Yahoo! Messenger with Voice (2).lnk = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB2.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesca.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~2\COPERN~1.EXE
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\Windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {6A029EAC-2A52-475F-B8FE-AF3186EA3D03} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/2,4,1,0/mvt.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/chuzzled...aploader_v7.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\Windows\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
--
End of file - 11865 bytes
Here is the ComboFix log:
ComboFix 08-02.05.3 - Kathy's Funtime 2008-02-08 9:43:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.617 [GMT -5:00]
Running from: C:\Documents and Settings\Kathy's Funtime\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Windows\system32\ssqro.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Kathy's Funtime\Application Data\inst.exe
C:\Windows\cookies.ini
C:\Windows\system32\curtruye.dll
C:\Windows\system32\dbejlgyr.dll
C:\Windows\system32\gwwkpntj.dll
C:\Windows\system32\ichukbdn.dll
C:\Windows\system32\ommkhqkn.ini
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\Windows\system32\pdrehpoo.dll
C:\Windows\system32\saxgimah.ini
C:\Windows\system32\sldhkasy.dll
C:\Windows\system32\snhioqwa.dll
C:\Windows\system32\sqywjkcv.ini
C:\Windows\system32\ssqro.dll
----- BITS: Possible infected sites -----
hxxp://msgr.dlservice.microsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-01-08 to 2008-02-08 )))))))))))))))))))))))))))))))
.
2008-02-07 11:06 . 2008-02-07 11:06 1,205,646 --ahs---- C:\WINDOWS\system32\tgnotefx.tmp
2008-02-07 11:01 . 2008-02-07 11:01 <DIR> d-------- C:\Program Files\Common Files\Python
2008-02-07 11:01 . 2001-10-19 12:18 708,696 --a------ C:\WINDOWS\system32\python21.dll
2008-02-07 11:01 . 2001-10-19 12:18 290,919 --a------ C:\WINDOWS\system32\pythoncom21.dll
2008-02-07 11:01 . 2001-10-19 12:19 57,344 --a------ C:\WINDOWS\system32\PyWinTypes21.dll
2008-02-07 10:54 . 1999-06-15 11:31 96,768 --a------ C:\WINDOWS\SlantAdj.dll
2008-02-07 10:54 . 1999-12-07 02:03 73,216 --a------ C:\WINDOWS\ADE.DLL
2008-02-07 10:54 . 1999-04-27 00:17 3,136 --a------ C:\WINDOWS\Ade001.bin
2008-02-07 10:54 . 1999-08-09 23:50 72 --a------ C:\WINDOWS\system32\epDPE.ini
2008-02-07 10:52 . 2002-02-02 00:00 86,016 --a------ C:\WINDOWS\system32\Epfb5cpl.dll
2008-02-06 21:25 . 2008-02-06 21:25 <DIR> d-------- C:\Program Files\Sun
2008-02-06 21:25 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-06 21:18 . 2008-02-06 21:25 <DIR> d-------- C:\Program Files\Java
2008-02-06 21:18 . 2008-02-06 21:18 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-06 19:41 . 2008-02-06 19:48 <DIR> d-------- C:\New Folder
2008-02-06 15:19 . 2008-02-06 15:19 <DIR> d-------- C:\Program Files\Softwin
2008-02-03 11:54 . 2008-02-04 11:42 <DIR> d-------- C:\Program Files\DVDFab Platinum
2008-02-02 20:11 . 2008-02-02 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-02-02 18:42 . 2008-02-04 11:43 <DIR> d-------- C:\Program Files\DVDFab Platinum 4
2008-02-02 18:42 . 2008-02-05 09:21 <DIR> d-------- C:\Documents and Settings\Kathy's Funtime\Application Data\Vso
2008-02-02 18:42 . 2008-02-02 18:42 47,360 --a------ C:\Documents and Settings\Kathy's Funtime\Application Data\pcouffin.sys
2008-02-01 21:23 . 2008-02-01 21:23 <DIR> d-------- C:\Documents and Settings\Kathy's Funtime\Application Data\dvdcss
2008-01-22 10:40 . 2008-01-22 11:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 11:21 . 2008-01-22 11:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-21 10:55 . 2008-01-21 10:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-01-10 11:58 . 2004-03-07 22:55 13,567 --a------ C:\WINDOWS\system32\drivers\cdrbsdrv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 16:05 --------- d-----w C:\Documents and Settings\Kathy's Funtime\Application Data\EPSON
2008-02-07 16:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-07 15:59 --------- d-----w C:\Program Files\EPSON
2008-02-06 23:09 --------- d-----w C:\Documents and Settings\Kathy's Funtime\Application Data\U3
2008-02-06 15:42 --------- d-----w C:\Program Files\PcBugDoctor
2008-02-02 23:42 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-02-02 00:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-23 16:06 --------- d-----w C:\Program Files\Mystery Case Files - Madame Fate
2008-01-22 15:40 --------- d-----w C:\Program Files\Lavasoft
2008-01-21 15:55 --------- d-----w C:\Program Files\Common Files\Webroot Shared
2008-01-10 16:58 --------- d-----w C:\Program Files\B's Recorder GOLD5
2007-11-26 19:47 194,888 ----a-w C:\Windows\Unwash6.exe
2007-04-24 22:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-24-2007_18-38-14_8615630.dnp
2007-04-24 22:43 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-24-2007_18-38-14_7377494.dnp
2007-04-24 22:42 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-24-2007_18-38-14_6923050.dnp
2007-04-24 22:40 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-24-2007_18-38-14_3663068.dnp
2007-04-20 14:09 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-20-2007_10-3-14_9251028.dnp
2007-04-20 14:09 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-20-2007_10-3-14_5939818.dnp
2007-04-20 14:08 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-20-2007_10-3-14_7974634.dnp
2007-04-20 14:05 18 ----a-w C:\Program Files\XP Repair Pro 2007ERR_Item0-4-20-2007_10-3-14_408619.dnp
2002-04-02 00:28 1 -c--a-w C:\Documents and Settings\Kathy Garner\scrcfg.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\Windows\system32\ctfmon.exe" [2004-08-04 02:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 11:54 5674352]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 21:49 4662776]
C:\Documents and Settings\Kathy Garner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2004-03-18 08:13:14 225280]
PowerReg SchedulerV2.exe [2002-07-22 16:53:20 225280]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MSN Messenger 7.5.lnk - C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 11:54:56 5674352]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2004-01-30 20:02:15 155648]
WeatherEye.lnk - C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe [2005-07-08 16:20:45 4484816]
Windows Desktop Search.lnk - C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [2005-09-20 18:10:04 238080]
Yahoo! Messenger with Voice (2).lnk - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2006-07-15 12:32:25 4662776]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"UpdateManager"= C:\Program Files\Common Files\Microsoft Shared\TextConv\wmupdate.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Mn@iboddPubswLfov"= 0 (0x0)
"Mn@mlrf"= 0 (0x0)
"MnOndNeg"= 0 (0x0)
"MnQtm"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"XPRepairPro2007"=C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
R0 BsStor;B.H.A Storage Helper Driver;C:\Windows\system32\drivers\BsStor.sys [2002-06-06 01:07]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 14:47]
R3 LCcfltr;Logitech USB Filter Driver;C:\Windows\system32\Drivers\LCcFltr.Sys [2004-03-03 08:50]
S1 EACMOS;EACMOS;C:\Windows\system32\drivers\EACMOS.SYS []
S3 Gcr432;Gcr432;C:\Windows\system32\Drivers\gcr432.sys [2001-05-10 15:54]
S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\System32\Drivers\NPDRIVER.SYS [2002-02-05 06:03]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec2f6254-2a48-11dc-8468-0002a5d77ac5}]
\Shell\AutoRun\command - I:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2005-04-15 14:23:01 C:\Windows\Tasks\1 Copernic Intra-Daily ~NEWTMACHINE Kathy Garner.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-11-08 15:59:31 C:\Windows\Tasks\1 Copernic Intra-Daily ~NEWTMACHINE Kathy's Funtime.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2005-04-15 14:23:01 C:\Windows\Tasks\2 Copernic Daily ~NEWTMACHINE Kathy Garner.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-11-08 15:59:31 C:\Windows\Tasks\2 Copernic Daily ~NEWTMACHINE Kathy's Funtime.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2005-04-15 14:23:01 C:\Windows\Tasks\3 Copernic Weekly ~NEWTMACHINE Kathy Garner.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-11-08 15:59:31 C:\Windows\Tasks\3 Copernic Weekly ~NEWTMACHINE Kathy's Funtime.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2005-04-15 14:23:01 C:\Windows\Tasks\4 Copernic Monthly ~NEWTMACHINE Kathy Garner.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2007-11-08 15:59:31 C:\Windows\Tasks\4 Copernic Monthly ~NEWTMACHINE Kathy's Funtime.job"
- C:\Program Files\Copernic Agent\CopernicAgent.exe
"2008-02-08 14:55:04 C:\Windows\Tasks\LiveUpdate - Norton AntiVirus.job"
- C:\PROGRA~1\Symantec\LIVEUP~1\LUALL.EXE
"2008-02-08 14:30:00 C:\Windows\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Common Files\Symantec Shared\NMain.exeK /dat:C:\Program Files\Norton SystemWorks\swplugin.nsi /NSWCMD:OBCSchedule
"2008-02-08 15:00:24 C:\Windows\Tasks\PcbugDoctorKathy's Funtime.job"
- C:\Program Files\PcBugDoctor\PcBugDoctor.exe
"2005-10-16 22:23:56 C:\Windows\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-08 09:55:29
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\SCardSvr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\Windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-08 10:03:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-08 15:03:48
I will await further instructions.0 -
Good work. Everything looks nice and your computer is clean.
Thanks for attaching the files right at the beginning.
I see you have already installed Java.
You asked me about sqmnoopt01.sqm files, you might know it by now, they seem to be log files associated with Windows Live Messenger, you can remove them.
We are leaving in two different continents with seven hours time difference, yet we managed to work it out smoothly.
You gave me some compliments; it felt good to hear that, I must admit, in spit of knowing that it is exaggerated.
Please do the following last steps.
1. Uninstall combofix, to do that go to: Start - Run... Type: Combofix /u and click OK. It removes also the (infected) Combofix backups.
2. Reset your privacy to default.
3. Run ATFcleaner.
4. Reboot and check if your computer is running fine. Then empty your system volume information to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.
Let me know if you need further assistance.0 -
Good work. Everything looks nice and your computer is clean.
Thanks for attaching the files right at the beginning.
I see you have already installed Java.
You asked me about sqmnoopt01.sqm files, you might know it by now, they seem to be log files associated with Windows Live Messenger, you can remove them.
We are leaving in two different continents with seven hours time difference, yet we managed to work it out smoothly.
You gave me some compliments; it felt good to hear that, I must admit, in spit of knowing that it is exaggerated.
Please do the following last steps.
1. Uninstall combofix, to do that go to: Start - Run... Type: Combofix /u and click OK. It removes also the (infected) Combofix backups.
2. Reset your privacy to default.
3. Run ATFcleaner.
4. Reboot and check if your computer is running fine. Then empty your system volume information to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck "turn off system restore on all drives' to create a clean restore point.
Let me know if you need further assistance.
I am so happy to hear that the Vundo is (or are??) finally gone!!!! I tried to uninstall the Combofix, following your instructions. Windows said it couldn't find anything by that name. I went searching manually, and found the txt file, as well as the quarantined files. I deleted them using Shift + Delete, like you showed me. I am now doing a Search, and will delete all files that the computer finds using Shift + Delete. Is there something else I should be doing instead?? I tried the Run method three times and I got a Windows error stating that it could not find Combofix and to retype and try again. It suggested the Search, so that is what I did. If this does not work, do you know where the files hide, so that I can be sure to manually delete all of them before moving on to the Restore point? I don't want any infected files left behind after all this!!! And you deserve all the compliments I gave, and many more. I am extremely grateful for all your time and patience with me.0 -
Could you tell me what did you typed?
Don't worry it can be done manually also (since you are good at it, I know by now how fast you go to manual removal) but I am curious to know what did you typed? Did you typed combofix/u or combofix /u ?
Anyway use the search box to locate Qoobox and remove it. That is it, all the removed files are there. And they would not go to restore points or anywhere and they could not pose any threat any more.
And your are most welcome.0 -
Could you tell me what did you typed?
Don't worry it can be done manually also (since you are good at it, I know by now how fast you go to manual removal) but I am curious to know what did you typed? Did you typed combofix/u or combofix /u ?
Anyway use the search box to locate Qoobox and remove it. That is it, all the removed files are there. And they would not go to restore points or anywhere and they could not pose any threat any more.
And your are most welcome.
I typed combofix /u all 3 times, as I did see the space between the x and the /, but got the same message each time. I will go do a search for the Qoobox, and delete the found files. And then I will continue with the remaining instructions. Many, many thanks.0 -
I typed combofix /u all 3 times, as I did see the space between the x and the /, but got the same message each time. I will go do a search for the Qoobox, and delete the found files. And then I will continue with the remaining instructions. Many, many thanks.
I performed the remaining instructions after removing Qoobox. The computer seems to be working just fine again, but I could never have done it without you. I know where to go immediately if I ever have any more problems with Malware. Thank you again, and take care for now.0 -
I performed the remaining instructions after removing Qoobox. The computer seems to be working just fine again, but I could never have done it without you. I know where to go immediately if I ever have any more problems with Malware. Thank you again, and take care for now.
I am glad everything is working fine, and come back any time if you needed assistance with removing malware. I again advise you to install a firewall (BTW :Sygate Personal Firewall or ZoneLabs Zone Alarm have good free versions).
You are welcome and you take care too.0 -
I am glad everything is working fine, and come back any time if you needed assistance with removing malware. I again advise you to install a firewall (BTW :Sygate Personal Firewall or ZoneLabs Zone Alarm have good free versions).
You are welcome and you take care too.
I just wanted to let you know that I installed the Sygate Personal Firewall on the computer. And I am going to install it on my laptop too, just in case!!! Thanks so much for the recommendations on which ones to choose from. In these times of bad people wanting to do awful things to our computers over the internet, it is so heartwarming to know that there are good, knowledgeable, friendly, helpful people like yourself out there more than willing to help out those of us who are not so capable. Thank you so much and I will be in touch if I need more help. You've been just great!0
