Infected by vundo.gen.k (trojan) and pop ups abound

ericgarcb · 11-02-2008, 12:27 PM

Hello, my computer has been infected by trojans such as vundo.gen.k and various pop-ups abound. I have run, several times, malware programs such as ad-ware (lavasoft) and spy-bot to no avail. I also have Mcaffe virus-scan, which seems now not to be running correctly. I have attached and pasted the logs and info requested by your forum. I greatly appreciate any help that I might receive.

Logfile of HijackThis v1.99.1
Scan saved at 2:52:13 PM, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\brastk.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKLM\..\Run: [keocrolkmdtikea] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tljcdpkpffbgtpt.dll"
O4 - HKLM\..\Run: [Antivirus Pro 2009] "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide
O4 - HKLM\..\Run: [b844aba0] rundll32.exe "C:\WINDOWS\system32\yowubage.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\EDLAZE~1\LOCALS~1\Temp\xxx1757.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [Facegame] "C:\Documents and Settings\Edlaze500\Application Data\Facegame\Facegame.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174409189328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.kochb2b.com/viewer/ac...ivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O20 - AppInit_DLLs: zxfmwu.dll ljbbfj.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Logfile of random's system information tool 1.04 (written by random/random)
Run by Edlaze500 at 2008-11-02 13:56:50
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (9%) free of 110 GB
Total RAM: 511 MB (29% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:54 PM, on 11/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\brastk.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Edlaze500\Desktop\RSIT.exe
C:\Program Files\trend micro\Edlaze500.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {11CB1BA7-E3C4-4E3E-9A9D-BCC8BEF704F7} - C:\WINDOWS\system32\jkkHYsQg.dll
O2 - BHO: (no name) - {299B5FAC-2168-4A5D-A67D-AA4C8F8055DA} - C:\WINDOWS\system32\jkkHBUMF.dll
O2 - BHO: {535b0dba-868d-f538-4244-750c8800ccca} - {accc0088-c057-4424-835f-d868abd0b535} - C:\WINDOWS\system32\ljbbfj.dll
O2 - BHO: offersfortoday browser enhancer - {BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127} - C:\WINDOWS\system32\tljcdpkpffbgtpt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKLM\..\Run: [keocrolkmdtikea] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tljcdpkpffbgtpt.dll"
O4 - HKLM\..\Run: [Antivirus Pro 2009] "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide
O4 - HKLM\..\Run: [b844aba0] rundll32.exe "C:\WINDOWS\system32\yowubage.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\EDLAZE~1\LOCALS~1\Temp\xxx1757.exe
O4 - HKCU\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe
O4 - HKCU\..\Run: [Facegame] "C:\Documents and Settings\Edlaze500\Application Data\Facegame\Facegame.exe" 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174409189328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.kochb2b.com/viewer/ac...ivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O20 - AppInit_DLLs: zxfmwu.dll ljbbfj.dll
O20 - Winlogon Notify: jkkHBUMF - C:\WINDOWS\SYSTEM32\jkkHBUMF.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 11234 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At10.job
C:\WINDOWS\tasks\At11.job
C:\WINDOWS\tasks\At12.job
C:\WINDOWS\tasks\At13.job
C:\WINDOWS\tasks\At14.job
C:\WINDOWS\tasks\At15.job
C:\WINDOWS\tasks\At16.job
C:\WINDOWS\tasks\At17.job
C:\WINDOWS\tasks\At18.job
C:\WINDOWS\tasks\At19.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\At20.job
C:\WINDOWS\tasks\At21.job
C:\WINDOWS\tasks\At22.job
C:\WINDOWS\tasks\At23.job
C:\WINDOWS\tasks\At24.job
C:\WINDOWS\tasks\At3.job
C:\WINDOWS\tasks\At4.job
C:\WINDOWS\tasks\At5.job
C:\WINDOWS\tasks\At6.job
C:\WINDOWS\tasks\At7.job
C:\WINDOWS\tasks\At8.job
C:\WINDOWS\tasks\At9.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11CB1BA7-E3C4-4E3E-9A9D-BCC8BEF704F7}]
C:\WINDOWS\system32\jkkHYsQg.dll [2008-11-02 243712]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{299B5FAC-2168-4A5D-A67D-AA4C8F8055DA}]
C:\WINDOWS\system32\jkkHBUMF.dll [2008-11-01 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{accc0088-c057-4424-835f-d868abd0b535}]
C:\WINDOWS\system32\ljbbfj.dll [2008-11-02 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}]
offersfortoday browser enhancer - C:\WINDOWS\system32\tljcdpkpffbgtpt.dll [2008-11-01 178176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - hp toolkit - C:\HP\EXPLOREBAR\HPTOOLKT.DLL [2002-08-15 90112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2008-04-13 50176]
"hpsysdrv"=c:\windows\system\hpsysdrv.exe [1998-05-07 52736]
"KYE_Showicon"=C:\Program Files\USB Storage RW\shwicon.exe [2002-10-25 69632]
"Share-to-Web Namespace Daemon"=c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [2002-04-17 69632]
"CamMonitor"=c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe [2002-06-18 69632]
"KBD"=C:\HP\KBD\KBD.EXE [2003-02-11 61440]
"StorageGuard"=C:\Program Files\VERITAS Software\Update Manager\sgtray.exe [2002-06-18 155648]
"AutoTBar"=C:\hp\bin\autotbar.exe []
"WCOLOREAL"=C:\Program Files\Coloreal\coloreal.exe [2002-11-26 131072]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2003-07-28 4841472]
"nwiz"=nwiz.exe /installquiet /keeploaded /nodetect []
"PS2"=C:\WINDOWS\system32\ps2.exe []
"ServiceLayer"=C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe [2002-10-16 69632]
"Nokia Tray Application"=C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe [2002-10-22 598016]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2003-07-28 49152]
"HP Software Update"=C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe [2005-02-16 49152]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"DVDTray"=C:\Program Files\HP DVD\Umbrella\DVDTray.exe [2003-07-23 65536]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-01-31 385024]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]
"ABBYY Community Agent"=C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe [2002-03-20 253952]
"ShStatEXE"=C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE [2004-08-18 94208]
"McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2004-08-06 139320]
"Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe [2003-10-07 147514]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"ZoneAlarm Client"=C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [2008-07-09 919016]
"brastk"=C:\WINDOWS\system32\brastk.exe [2008-11-01 10240]
"keocrolkmdtikea"=C:\WINDOWS\System32\regsvr32.exe [2008-04-13 11776]
"Antivirus Pro 2009"=C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe [2008-11-02 596811]
"b844aba0"=C:\WINDOWS\system32\yowubage.dll [2008-11-02 68608]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"NVIEW"=C:\WINDOWS\system32\nview.dll [2003-07-28 852038]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSFox"=C:\DOCUME~1\EDLAZE~1\LOCALS~1\Temp\xxx1757.exe []
"brastk"=C:\WINDOWS\system32\brastk.exe [2008-11-01 10240]
"Facegame"=C:\Documents and Settings\Edlaze500\Application Data\Facegame\Facegame.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
hp center.lnk - C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe
VPN Client.lnk - C:\WINDOWS\Installer\{2D448D0B-20D5-4CD6-84F7-DB9868CB5F6C}\Icon3E5562ED7.ico

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="zxfmwu.dll ljbbfj.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jkkHBUMF]
C:\WINDOWS\system32\jkkHBUMF.dll [2008-11-01 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-02-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
WRLogonNTF.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{299B5FAC-2168-4A5D-A67D-AA4C8F8055DA}"=C:\WINDOWS\system32\jkkHBUMF.dll [2008-11-01 34304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\jkkHYsQg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, msansspc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"ForceClassicControlPanel"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
""=
"NoDriveTypeAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\hp center\137903\Program\BackWeb-137903.exe"="C:\Program Files\hp center\137903\Program\BackWeb-137903.exe:*:Enabled:BackWeb-137903"
"C:\Program Files\Call of Duty\CoDMP.exe"="C:\Program Files\Call of Duty\CoDMP.exe:*:Enabled:CoDMP"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe"="C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe:*:Disabled:mRouterRuntime"
"C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe"="C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe:*:Enabled:Kerio Personal Firewall 4 - GUI"
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWUCli.exe:*:Enabled:HP Software Update Client"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\AIM\aim.exe"="C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\Program Files\mIRC\mirc.exe"="C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Cisco Systems\VPN Client\vpngui.exe"="C:\Program Files\Cisco Systems\VPN Client\vpngui.exe:*:Enabled:vpngui.exe"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\Program Files\Kontiki\KService.exe"="C:\Program Files\Kontiki\KService.exe:*:Enabled:Delivery Manager Service"
"C:\Program Files\eMule\emule.exe"="C:\Program Files\eMule\emule.exe:*:Enabled:eMule"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2008-11-02 13:56:50 ----D---- C:\rsit
2008-11-02 00:52:13 ----A---- C:\WINDOWS\system32\ljbbfj.dll
2008-11-02 00:52:12 ----A---- C:\WINDOWS\system32\kbrjwvbt.dll
2008-11-02 00:50:02 ----SH---- C:\WINDOWS\system32\egabuwoy.ini
2008-11-02 00:49:58 ----A---- C:\WINDOWS\system32\yowubage.dll
2008-11-02 00:49:08 ----ASH---- C:\WINDOWS\system32\gQsYHkkj.ini2
2008-11-02 00:49:08 ----ASH---- C:\WINDOWS\system32\gQsYHkkj.ini
2008-11-02 00:49:03 ----A---- C:\WINDOWS\system32\jkkHYsQg.dll
2008-11-02 00:41:13 ----A---- C:\WINDOWS\gmer.ini
2008-11-02 00:41:09 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-02 00:41:08 ----A---- C:\WINDOWS\gmer.exe
2008-11-02 00:41:08 ----A---- C:\WINDOWS\gmer.dll
2008-11-01 22:52:16 ----D---- C:\Program Files\AntivirusPro2009
2008-11-01 22:41:47 ----A---- C:\WINDOWS\system32\delself.bat
2008-11-01 22:16:48 ----A---- C:\WINDOWS\system32\wini1087100.exe
2008-11-01 22:14:29 ----A---- C:\WINDOWS\system32\zxfmwu.dll
2008-11-01 22:14:27 ----A---- C:\WINDOWS\system32\tesjummj.dll
2008-11-01 15:39:43 ----A---- C:\WINDOWS\system32\b3676fde-.txt
2008-11-01 15:38:22 ----ASH---- C:\WINDOWS\system32\gPAbHRqr.ini2
2008-11-01 15:38:22 ----ASH---- C:\WINDOWS\system32\gPAbHRqr.ini
2008-11-01 15:38:17 ----A---- C:\WINDOWS\system32\rqRHbAPg.dll.vir
2008-11-01 09:31:02 ----D---- C:\quarantine
2008-11-01 09:30:59 ----D---- C:\Documents and Settings\Edlaze500\Application Data\Facegame
2008-11-01 09:29:45 ----A---- C:\WINDOWS\system32\brastk.exe
2008-11-01 09:29:22 ----A---- C:\WINDOWS\system32\jkkHBUMF.dll
2008-11-01 09:29:09 ----A---- C:\WINDOWS\system32\msansspc.dll
2008-11-01 03:41:58 ----A---- C:\WINDOWS\system32\tljcdpkpffbgtpt.dll
2008-10-31 20:16:12 ----A---- C:\WINDOWS\system32\U3cSBf33.exe.a_a
2008-10-26 21:29:47 ----D---- C:\Documents and Settings\Edlaze500\Application Data\Mozilla
2008-10-26 21:28:36 ----D---- C:\Program Files\Mozilla Firefox
2008-10-24 17:01:44 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-23 14:41:13 ----A---- C:\WINDOWS\system32\cont_offersfortoday-remove.exe
2008-10-23 14:41:07 ----A---- C:\WINDOWS\system32\mcvowdhmpaic.exe
2008-10-23 14:40:55 ----A---- C:\WINDOWS\system32\msxml71.dll
2008-10-16 21:13:48 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-16 21:13:33 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-16 21:13:16 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-16 21:08:25 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-16 21:07:44 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-08 09:53:36 ----A---- C:\WINDOWS\system32\nsaF.dll

======List of files/folders modified in the last 1 months======

2008-11-02 13:57:54 ----D---- C:\Program Files\Trend Micro
2008-11-02 13:57:48 ----D---- C:\WINDOWS\Prefetch
2008-11-02 13:55:55 ----D---- C:\WINDOWS\Internet Logs
2008-11-02 12:00:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-02 04:48:43 ----A---- C:\WINDOWS\NeroDigital.ini
2008-11-02 04:48:30 ----D---- C:\WINDOWS
2008-11-02 00:52:13 ----D---- C:\WINDOWS\system32
2008-11-02 00:50:36 ----AD---- C:\WINDOWS\Temp
2008-11-02 00:41:09 ----D---- C:\WINDOWS\system32\drivers
2008-11-02 00:31:30 ----D---- C:\Program Files\LimeWire
2008-11-01 23:03:02 ----AD---- C:\Program Files\Common Files
2008-11-01 22:52:16 ----AD---- C:\Program Files
2008-11-01 22:49:30 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-01 22:47:51 ----A---- C:\WINDOWS\ModemLog_Standard Modem.txt
2008-11-01 22:47:46 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2008-11-01 22:41:47 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-01 22:37:32 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-31 20:16:12 ----SD---- C:\WINDOWS\Tasks
2008-10-31 13:49:10 ----D---- C:\WINDOWS\system32\FxsTmp
2008-10-26 22:16:29 ----D---- C:\WINDOWS\Help
2008-10-25 23:29:54 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-10-24 17:01:56 ----HD---- C:\WINDOWS\inf
2008-10-24 17:00:50 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-24 16:34:12 ----D---- C:\WINDOWS\system32\ActiveScan
2008-10-23 16:03:17 ----SHD---- C:\WINDOWS\Installer
2008-10-23 16:03:16 ----HD---- C:\Config.Msi
2008-10-23 16:03:03 ----D---- C:\Program Files\Common Files\Microsoft Shared
2008-10-23 09:57:16 ----D---- C:\Program Files\Microsoft Silverlight
2008-10-16 21:13:54 ----A---- C:\WINDOWS\imsins.BAK
2008-10-16 21:12:36 ----D---- C:\Program Files\Internet Explorer
2008-10-16 21:12:08 ----D---- C:\WINDOWS\ie7updates
2008-10-16 21:11:00 ----A---- C:\WINDOWS\win.ini
2008-10-15 19:12:59 ----D---- C:\Program Files\HijackThis
2008-10-15 14:55:13 ----D---- C:\WINDOWS\network diagnostic
2008-10-15 11:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-11 14:24:06 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-10-07 14:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-03 12:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AFS2K;AFS2k; C:\WINDOWS\system32\drivers\AFS2K.sys [2005-05-23 43672]
R1 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2002-07-17 16877]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 KLIF;KLIF; C:\WINDOWS\system32\DRIVERS\klif.sys [2007-07-19 127768]
R1 NaiAvTdi1;NaiAvTdi1; C:\WINDOWS\system32\drivers\mvstdi5x.sys [2004-08-18 58016]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-10-01 2279424]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 CVPNDRVA;Cisco Systems Inc. IPSec Driver; \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys []
R3 DNE;Deterministic Network Enhancer Miniport; C:\WINDOWS\system32\DRIVERS\dne2000.sys [2004-11-03 146888]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2006-09-19 15664]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder); C:\WINDOWS\System32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ltmodem5;Lucent Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-03-08 624369]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NaiAvFilter1;NaiAvFilter1; C:\WINDOWS\system32\drivers\naiavf5x.sys [2004-08-18 108256]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2003-07-28 1341339]
R3 Ps2;PS2; C:\WINDOWS\System32\DRIVERS\PS2.sys [2001-06-04 14112]
R3 RimSerPort;RIM Virtual Serial Port; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 vsdatant;vsdatant; \??\C:\WINDOWS\system32\vsdatant.sys []
S2 mrtRate;mrtRate; C:\WINDOWS\system32\drivers\mrtRate.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2005-02-08 5185]
S3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-02 85969]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-12-14 51120]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-12-14 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-12-14 21744]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS); C:\WINDOWS\System32\DRIVERS\pc22nd5.sys [2001-11-09 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver; C:\WINDOWS\System32\DRIVERS\pc22unic.sys [2001-11-09 69744]
S3 PCDRDRV;Pcdr Helper Driver; \??\C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 Pcouffin;Low level access layer for CD devices; C:\WINDOWS\System32\Drivers\Pcouffin.sys []
S3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-05-02 9856]
S3 QCDonner;Logitech QuickCam Express; C:\WINDOWS\System32\DRIVERS\OVCD.sys [2001-08-17 28032]
S3 RimUsb;RIM Handheld; C:\WINDOWS\System32\Drivers\RimUsb.sys [2004-09-14 17286]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2007-10-31 30464]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2008-04-13 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-27 611664]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2007-10-31 110592]
R2 CVPND;Cisco Systems, Inc. VPN Service; C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe [2005-04-07 1421336]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\ehome\ehSched.exe [2008-04-13 84992]
R2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2004-08-06 102463]
R2 McTaskManager;Network Associates Task Manager; C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe [2004-08-18 28672]
R2 NVSvc;NVIDIA Driver Helper Service; C:\WINDOWS\system32\nvsvc32.exe [2003-07-28 77824]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S2 McShield;Network Associates McShield; C:\Program Files\Network Associates\VirusScan\Mcshield.exe [2004-08-18 221191]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2007-08-09 73728]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WmcCds;Windows Media Connect (WMC); c:\program files\windows media connect\mswmccds.exe [2004-08-10 483328]
S3 WmcCdsLs;Windows Media Connect (WMC) Helper; C:\Program Files\Windows Media Connect\mswmcls.exe [2004-08-10 28160]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

ericgarcb · 11-05-2008, 04:49 PM

BUMP, please

alba · 11-07-2008, 12:00 PM

Hi ericgarcb

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

=================

Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

ComboFix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

ericgarcb · 11-08-2008, 08:30 AM

Hello,

Fresh Combofix and Hijack logs are pasted below.

Thanks again,
Eric

ComboFix 08-11-07.01 - Edlaze500 2008-11-08 1:44:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.221 [GMT -5:00]
Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Edlaze500\Application Data\Facegame
c:\documents and settings\Edlaze500\Cookies\mafycu.dl
c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\ywoxuvihed.exe
C:\e.exe
C:\m.exe
C:\ntldr.exe
C:\p.exe
C:\q.exe
C:\win.txt
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\Readme.txt
c:\windows\system.exe
c:\windows\system\system.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\egabuwoy.ini
c:\windows\system32\gPAbHRqr.ini
c:\windows\system32\gPAbHRqr.ini2
c:\windows\system32\gQsYHkkj.ini
c:\windows\system32\gQsYHkkj.ini2
c:\windows\system32\jkkhysqg.dll
c:\windows\system32\mcc.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\msxml71.dll
c:\windows\system32\U3cSBf33.exe.a_a
c:\windows\system32\vloxhjfs.ini
c:\windows\system32\wpv106.cpx
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT

((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-06 00:24 . 2008-11-08 01:51 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-06 00:24 . 2008-11-08 01:58 458,784 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-06 00:24 . 2008-11-08 01:51 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-06 00:24 . 2008-11-08 01:58 2,676 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-05 23:51 . 2008-11-08 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-05 16:42 . 2008-11-05 16:42 68,356 --a------ c:\windows\system32\suwcamwo.dll
2008-11-05 16:38 . 2008-11-05 16:39 74,656 --a------ c:\windows\system32\gopejlke.dll
2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit
2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini
2008-11-01 23:03 . 2008-11-01 23:03 19,694 --a------ c:\windows\system32\loxydo.pif
2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db
2008-11-01 23:03 . 2008-11-01 23:03 13,901 --a------ c:\program files\Common Files\elelahyp.reg
2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin
2008-11-01 22:52 . 2008-11-07 09:19 <DIR> d-------- c:\program files\AntivirusPro2009
2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine
2008-11-01 03:41 . 2008-11-01 03:41 178,176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll
2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-23 14:41 . 2008-10-31 16:34 102,172 --a------ c:\windows\system32\cont_offersfortoday-remove.exe
2008-10-23 14:41 . 2008-11-01 09:31 77,947 --a------ c:\windows\system32\mcvowdhmpaic.exe
2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 06:57 --------- d-----w c:\program files\QuickTime
2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real
2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab
2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro
2008-11-02 05:31 --------- d-----w c:\program files\LimeWire
2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks
2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech
2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys
2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe
2005-01-27 02:07 0 --sh--r c:\windows\cvchost.exe
2005-01-27 02:07 0 --sh--r c:\windows\dl.exe
2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe
2005-01-27 02:07 0 --sh--r c:\windows\msstasks.exe
2005-01-27 02:07 0 --sh--r c:\windows\mssys.com
2005-01-27 02:07 0 --sh--r c:\windows\mstasks1.exe
2005-01-27 02:07 0 --sh--r c:\windows\mstaskss.exe
2005-01-27 02:07 0 --sh--r c:\windows\msxmidi.exe
2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe
2005-01-27 02:07 0 --sh--r c:\windows\reg33.exe
2005-01-27 02:07 0 --sh--r c:\windows\rocky.exe
2005-01-27 02:07 0 --sh--r c:\windows\system\wmscrop.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\d2kpax.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\ied.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\miniport_mp.exe
2005-01-27 02:07 0 --sha-r c:\windows\system32\winproc32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}]
2008-11-01 03:41 178176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632]
"Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"keocrolkmdtikea"="c:\windows\system32\tljcdpkpffbgtpt.dll" [2008-11-01 178176]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744]
S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-11-06 c:\windows\Tasks\At1.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At10.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At11.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At12.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At13.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At14.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At15.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At16.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At17.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At18.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At19.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-06 c:\windows\Tasks\At2.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-03 c:\windows\Tasks\At20.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-03 c:\windows\Tasks\At21.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-03 c:\windows\Tasks\At22.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-06 c:\windows\Tasks\At23.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-06 c:\windows\Tasks\At24.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-08 c:\windows\Tasks\At3.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-08 c:\windows\Tasks\At4.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At5.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At6.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At7.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At8.job
- c:\windows\system32\U3cSBf33.exe []

2008-11-07 c:\windows\Tasks\At9.job
- c:\windows\system32\U3cSBf33.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{51BCD548-771E-49C8-AC0C-7B7E6B9D35AF} - c:\windows\system32\jkkHYsQg.dll
BHO-{F3AF22D2-7855-43FE-8DA3-ECD8E9C11558} - (no file)
HKCU-Run-Facegame - c:\documents and settings\Edlaze500\Application Data\Facegame\Facegame.exe
HKLM-Run-AutoTBar - c:\hp\bin\autotbar.exe
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
Notify-jkkHBUMF - jkkHBUMF.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Edlaze500\Application Data\Mozilla\Firefox\Profiles\ycjajdb2.default\
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 01:53:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\eHome\ehsched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\regsvr32.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-11-08 3:13:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 08:12:47

Pre-Run: 9,514,356,736 bytes free
Post-Run: 9,938,006,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn

285 --- E O F --- 2008-10-24 22:01:58

Logfile of HijackThis v1.99.1
Scan saved at 10:25:40 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HP DVD\Umbrella\DVDTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: offersfortoday browser enhancer - {BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127} - C:\WINDOWS\system32\tljcdpkpffbgtpt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [keocrolkmdtikea] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tljcdpkpffbgtpt.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: VPN Client.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174409189328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.kochb2b.com/viewer/ac...ivexviewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

alba · 11-08-2008, 10:11 AM

Hi ericgarcb

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

===============================================

Open notepad and carefully copy/paste all the text in the code box below into it:

Code:


http://www.techsupportforum.com/security-center/hijackthis-log-help/308786-infected-vundo-gen-k-trojan-pop-ups-abound.html#post1792822

Collect::
c:\windows\system32\suwcamwo.dll
c:\windows\system32\gopejlke.dll
c:\windows\system32\loxydo.pif
c:\Program Files\Common Files\elelahyp.reg
c:\windows\system32\tljcdpkpffbgtpt.dll
c:\windows\system32\cont_offersfortoday-remove.exe
c:\windows\system32\mcvowdhmpaic.exe
c:\windows\cvchost.exe
c:\windows\dl.exe
c:\windows\msstasks.exe
c:\windows\mssys.com
c:\windows\mstasks1.exe
c:\windows\mstaskss.exe
c:\windows\msxmidi.exe
c:\windows\reg33.exe
c:\windows\rocky.exe
c:\windows\system\wmscrop.exe
c:\windows\system32\d2kpax.exe
c:\windows\system32\ied.exe
c:\windows\system32\miniport_mp.exe
c:\windows\system32\winproc32.exe
c:\windows\system32\tljcdpkpffbgtpt.dll
c:\windows\system32\U3cSBf33.exe 

File::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Folder::
c:\program files\AntivirusPro2009

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"keocrolkmdtikea"=-

Save this as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.
A browser will open.
Simply follow the instructions to copy/paste/send the requested file.

================================================

Establish an internet connection & perform an online scan with Internet Explorer at
Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats and the option Scan unwanted applications are checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

=================

Upload this file

c:\program files\Common Files\erib.bin

to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

**If the site is too busy, upload it to http://www.virustotal.com/en/indexf.html

=================

In your next post, please include fresh logs from:

ComboFix.txt
EsetOnlineScanner log.txt
Jotti report

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

ericgarcb · 11-09-2008, 12:40 AM

Hello,

My computer seems to be running a lot quicker now. And I haven't seen or heard any pop-ups. The fresh logs are pasted below.

Thanks again,
Eric

ComboFix 08-11-07.01 - Edlaze500 2008-11-08 21:42:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.226 [GMT -5:00]
Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edlaze500\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AntivirusPro2009
c:\program files\AntivirusPro2009\htmlayout.dll
c:\program files\AntivirusPro2009\pthreadVC2.dll
c:\program files\Common Files\elelahyp.reg
c:\windows\cvchost.exe
c:\windows\dl.exe
c:\windows\msstasks.exe
c:\windows\mssys.com
c:\windows\mstasks1.exe
c:\windows\mstaskss.exe
c:\windows\msxmidi.exe
c:\windows\reg33.exe
c:\windows\rocky.exe
c:\windows\system\wmscrop.exe
c:\windows\system32\cont_offersfortoday-remove.exe
c:\windows\system32\d2kpax.exe
c:\windows\system32\gopejlke.dll
c:\windows\system32\ied.exe
c:\windows\system32\loxydo.pif
c:\windows\system32\mcvowdhmpaic.exe
c:\windows\system32\miniport_mp.exe
c:\windows\system32\suwcamwo.dll
c:\windows\system32\tljcdpkpffbgtpt.dll
c:\windows\system32\winproc32.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 )))))))))))))))))))))))))))))))
.

2008-11-06 00:24 . 2008-11-08 11:39 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-06 00:24 . 2008-11-08 21:37 507,936 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-06 00:24 . 2008-11-08 11:39 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-06 00:24 . 2008-11-08 21:37 2,816 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-05 23:51 . 2008-11-08 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat
2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit
2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini
2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db
2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin
2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine
2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll
2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys
2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys
2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 06:57 --------- d-----w c:\program files\QuickTime
2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real
2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab
2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro
2008-11-02 05:31 --------- d-----w c:\program files\LimeWire
2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks
2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech
2008-09-05 20:55 77,824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\WinVerifyTrust.dll
2008-09-05 20:55 159,744 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHButton.exe
2008-09-05 20:55 122,880 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\SearchCtrl.dll
2008-09-05 20:54 49,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHI18N.dll
2008-09-05 20:54 420,432 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\pchplugin.zip
2008-09-05 20:54 126,976 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\ContentUpdater.exe
2008-09-05 20:54 106,496 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PluginCtrl.dll
2008-09-05 20:53 1,306,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\motdeusr.zip
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe
2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe
2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648]
"WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632]
"Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048]
"ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DIVXc32.dll
"vidc.DIV4"= DIVXc32f.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920]
S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648]
S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744]
S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 21:48:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-08 21:53:21
ComboFix-quarantined-files.txt 2008-11-09 02:52:41
ComboFix2.txt 2008-11-08 08:13:04

Pre-Run: 10,739,957,760 bytes free
Post-Run: 10,741,198,848 bytes free

223 --- E O F --- 2008-10-24 22:01:58

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3597 (20081108)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=c163db1d8b2b6145a9137a5459c00ddc
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-11-09 05:21:01
# local_time=2008-11-09 12:21:01 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=720500
# found=7
# scan_time=8183
C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip Java/TrojanDownloader.OpenStream.NAA trojan (deleted) 00000000000000000000000000000000
C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip »ZIP »tljcdpkpffbgtpt.dll Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkhysqg.dll.vir Win32/Adware.Virtumonde.NDF application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Win32/Adware.BHO.NEW application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv106.cpx.vir Win32/TrojanDownloader.Agent.OKY trojan (unable to clean - deleted) 00000000000000000000000000000000

_________________________________________________________________________________

Service
Service load: 0% 100%

File: erib.bin
Status: OK
MD5: cff28e70d27c3035809f8c2e9d9f012f
Packers detected: -

Scanner results
Scan taken on 09 Nov 2008 07:28:40 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

alba · 11-09-2008, 02:59 AM

Hi

Your logs are clean

=================

The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.

Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
MAKING INTERNET EXPLORER SAFER

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

=================

Follow the list above and the potential for infection will reduce dramatically.

Please respond to this thread one more time so we can mark this thread as resolved.

ericgarcb · 11-09-2008, 11:19 AM

Hi again,

Thanks, my computer is running smoothly!!

I installed the programs you suggested.

What anti-virus/Firewall/Internet Security program would you suggest? Which do you believe is the most effective out there?

Thank you,
Eric

alba · 11-09-2008, 12:15 PM

Hi ericgarcb

Please choose one from any of these 3 programs which are free for home use:

I also recommend doing the following

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

11-05-2008, 04:49 PM	#2 (permalink)
ericgarcb Registered User Join Date: Jan 2005 Posts: 30 OS: winxp	Re: Infected by vundo.gen.k (trojan) and pop ups abound BUMP, please

11-07-2008, 12:00 PM	#3 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hi ericgarcb Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. ================= Please Run a scan with HiJackThis and save the log ================= In your next post, please include fresh logs from: ComboFix.txt HiJackThis Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat**

11-08-2008, 08:30 AM	#4 (permalink)
ericgarcb Registered User Join Date: Jan 2005 Posts: 30 OS: winxp	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hello, Fresh Combofix and Hijack logs are pasted below. Thanks again, Eric ComboFix 08-11-07.01 - Edlaze500 2008-11-08 1:44:25.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.221 [GMT -5:00] Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\bold.log c:\documents and settings\Edlaze500\Application Data\Facegame c:\documents and settings\Edlaze500\Cookies\mafycu.dl c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Edlaze500\Local Settings\Temporary Internet Files\ywoxuvihed.exe C:\e.exe C:\m.exe C:\ntldr.exe C:\p.exe C:\q.exe C:\win.txt c:\windows\Fonts\acrsecB.fon c:\windows\Fonts\acrsecI.fon c:\windows\Readme.txt c:\windows\system.exe c:\windows\system\system.exe c:\windows\system32\DelSelf.bat c:\windows\system32\egabuwoy.ini c:\windows\system32\gPAbHRqr.ini c:\windows\system32\gPAbHRqr.ini2 c:\windows\system32\gQsYHkkj.ini c:\windows\system32\gQsYHkkj.ini2 c:\windows\system32\jkkhysqg.dll c:\windows\system32\mcc.exe c:\windows\system32\mcrh.tmp c:\windows\system32\msxml71.dll c:\windows\system32\U3cSBf33.exe.a_a c:\windows\system32\vloxhjfs.ini c:\windows\system32\wpv106.cpx c:\windows\wiaserviv.log D:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_ZESOFT ((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 ))))))))))))))))))))))))))))))) . 2008-11-06 00:24 . 2008-11-08 01:51 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat 2008-11-06 00:24 . 2008-11-08 01:58 458,784 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2008-11-06 00:24 . 2008-11-08 01:51 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx 2008-11-06 00:24 . 2008-11-08 01:58 2,676 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat 2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat 2008-11-05 23:51 . 2008-11-08 01:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat 2008-11-05 16:42 . 2008-11-05 16:42 68,356 --a------ c:\windows\system32\suwcamwo.dll 2008-11-05 16:38 . 2008-11-05 16:39 74,656 --a------ c:\windows\system32\gopejlke.dll 2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit 2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini 2008-11-01 23:03 . 2008-11-01 23:03 19,694 --a------ c:\windows\system32\loxydo.pif 2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db 2008-11-01 23:03 . 2008-11-01 23:03 13,901 --a------ c:\program files\Common Files\elelahyp.reg 2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin 2008-11-01 22:52 . 2008-11-07 09:19 <DIR> d-------- c:\program files\AntivirusPro2009 2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine 2008-11-01 03:41 . 2008-11-01 03:41 178,176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll 2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-23 14:41 . 2008-10-31 16:34 102,172 --a------ c:\windows\system32\cont_offersfortoday-remove.exe 2008-10-23 14:41 . 2008-11-01 09:31 77,947 --a------ c:\windows\system32\mcvowdhmpaic.exe 2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys 2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys 2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 06:57 --------- d-----w c:\program files\QuickTime 2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real 2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab 2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro 2008-11-02 05:31 --------- d-----w c:\program files\LimeWire 2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight 2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks 2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe 2005-01-27 02:07 0 --sh--r c:\windows\cvchost.exe 2005-01-27 02:07 0 --sh--r c:\windows\dl.exe 2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe 2005-01-27 02:07 0 --sh--r c:\windows\msstasks.exe 2005-01-27 02:07 0 --sh--r c:\windows\mssys.com 2005-01-27 02:07 0 --sh--r c:\windows\mstasks1.exe 2005-01-27 02:07 0 --sh--r c:\windows\mstaskss.exe 2005-01-27 02:07 0 --sh--r c:\windows\msxmidi.exe 2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe 2005-01-27 02:07 0 --sh--r c:\windows\reg33.exe 2005-01-27 02:07 0 --sh--r c:\windows\rocky.exe 2005-01-27 02:07 0 --sh--r c:\windows\system\wmscrop.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\d2kpax.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\ied.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\miniport_mp.exe 2005-01-27 02:07 0 --sha-r c:\windows\system32\winproc32.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}] 2008-11-01 03:41 178176 --a------ c:\windows\system32\tljcdpkpffbgtpt.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648] "WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472] "ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632] "Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "keocrolkmdtikea"="c:\windows\system32\tljcdpkpffbgtpt.dll" [2008-11-01 178176] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088] "nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DIVXc32.dll "vidc.DIV4"= DIVXc32f.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920] S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648] S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744] S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ] . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] 2008-11-06 c:\windows\Tasks\At1.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At10.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At11.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At12.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At13.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At14.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At15.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At16.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At17.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At18.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At19.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-06 c:\windows\Tasks\At2.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-03 c:\windows\Tasks\At20.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-03 c:\windows\Tasks\At21.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-03 c:\windows\Tasks\At22.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-06 c:\windows\Tasks\At23.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-06 c:\windows\Tasks\At24.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-08 c:\windows\Tasks\At3.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-08 c:\windows\Tasks\At4.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At5.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At6.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At7.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At8.job - c:\windows\system32\U3cSBf33.exe [] 2008-11-07 c:\windows\Tasks\At9.job - c:\windows\system32\U3cSBf33.exe [] . - - - - ORPHANS REMOVED - - - - BHO-{51BCD548-771E-49C8-AC0C-7B7E6B9D35AF} - c:\windows\system32\jkkHYsQg.dll BHO-{F3AF22D2-7855-43FE-8DA3-ECD8E9C11558} - (no file) HKCU-Run-Facegame - c:\documents and settings\Edlaze500\Application Data\Facegame\Facegame.exe HKLM-Run-AutoTBar - c:\hp\bin\autotbar.exe HKLM-Run-PS2 - c:\windows\system32\ps2.exe Notify-jkkHBUMF - jkkHBUMF.dll . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\Edlaze500\Application Data\Mozilla\Firefox\Profiles\ycjajdb2.default\ FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-08 01:53:31 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Cisco Systems\VPN Client\cvpnd.exe c:\windows\eHome\ehsched.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\rundll32.exe c:\windows\system32\regsvr32.exe c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe c:\program files\Internet Explorer\iexplore.exe c:\windows\system32\rundll32.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe c:\program files\iPod\bin\iPodService.exe c:\windows\eHome\ehmsas.exe . ************************************************************************ . Completion time: 2008-11-08 3:13:00 - machine was rebooted ComboFix-quarantined-files.txt 2008-11-08 08:12:47 Pre-Run: 9,514,356,736 bytes free Post-Run: 9,938,006,016 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional Edition" /fastdetect /NoExecute=OptIn 285 --- E O F --- 2008-10-24 22:01:58 Logfile of HijackThis v1.99.1 Scan saved at 10:25:40 AM, on 11/8/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\System32\svchost.exe C:\windows\system\hpsysdrv.exe C:\Program Files\USB Storage RW\shwicon.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\HP DVD\Umbrella\DVDTray.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\System32\regsvr32.exe c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: offersfortoday browser enhancer - {BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127} - C:\WINDOWS\system32\tljcdpkpffbgtpt.dll O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect O4 - HKLM\..\Run: [ServiceLayer] C:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [keocrolkmdtikea] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tljcdpkpffbgtpt.dll" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe O4 - Global Startup: VPN Client.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU) O11 - Options group: [INTERNATIONAL] International* O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1174409189328 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://reports.kochb2b.com/viewer/ac...ivexviewer.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.1.6.cab O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Kaspersky Internet Security (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" -r (file missing) O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

11-08-2008, 10:11 AM	#5 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hi ericgarcb Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER. =============================================== 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. =============================================== Open notepad and carefully copy/paste all the text in the code box below into it: Code: http://www.techsupportforum.com/security-center/hijackthis-log-help/308786-infected-vundo-gen-k-trojan-pop-ups-abound.html#post1792822 Collect:: c:\windows\system32\suwcamwo.dll c:\windows\system32\gopejlke.dll c:\windows\system32\loxydo.pif c:\Program Files\Common Files\elelahyp.reg c:\windows\system32\tljcdpkpffbgtpt.dll c:\windows\system32\cont_offersfortoday-remove.exe c:\windows\system32\mcvowdhmpaic.exe c:\windows\cvchost.exe c:\windows\dl.exe c:\windows\msstasks.exe c:\windows\mssys.com c:\windows\mstasks1.exe c:\windows\mstaskss.exe c:\windows\msxmidi.exe c:\windows\reg33.exe c:\windows\rocky.exe c:\windows\system\wmscrop.exe c:\windows\system32\d2kpax.exe c:\windows\system32\ied.exe c:\windows\system32\miniport_mp.exe c:\windows\system32\winproc32.exe c:\windows\system32\tljcdpkpffbgtpt.dll c:\windows\system32\U3cSBf33.exe File:: c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job Folder:: c:\program files\AntivirusPro2009 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBEF9CDB-E1F7-8D3A-2682-9B6FBD0B9127}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "keocrolkmdtikea"=- Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. ================================================ Establish an internet connection & perform an online scan with Internet Explorer at Go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats and the option Scan unwanted applications are checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt Copy and paste that log as a reply to this topic and also let me know how things are now. ================= Upload this file c:\program files\Common Files\erib.bin to http://virusscan.jotti.org and report back what it found. At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here. If the site is too busy, upload it to http://www.virustotal.com/en/indexf.html ================= In your next post, please include fresh logs from: ComboFix.txt EsetOnlineScanner log.txt Jotti report Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat** Last edited by alba; 11-08-2008 at 11:07 AM.

11-09-2008, 12:40 AM	#6 (permalink)
ericgarcb Registered User Join Date: Jan 2005 Posts: 30 OS: winxp	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hello, My computer seems to be running a lot quicker now. And I haven't seen or heard any pop-ups. The fresh logs are pasted below. Thanks again, Eric ComboFix 08-11-07.01 - Edlaze500 2008-11-08 21:42:08.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.226 [GMT -5:00] Running from: c:\documents and settings\Edlaze500\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Edlaze500\Desktop\CFScript.txt * Created a new restore point FILE :: c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\AntivirusPro2009 c:\program files\AntivirusPro2009\htmlayout.dll c:\program files\AntivirusPro2009\pthreadVC2.dll c:\program files\Common Files\elelahyp.reg c:\windows\cvchost.exe c:\windows\dl.exe c:\windows\msstasks.exe c:\windows\mssys.com c:\windows\mstasks1.exe c:\windows\mstaskss.exe c:\windows\msxmidi.exe c:\windows\reg33.exe c:\windows\rocky.exe c:\windows\system\wmscrop.exe c:\windows\system32\cont_offersfortoday-remove.exe c:\windows\system32\d2kpax.exe c:\windows\system32\gopejlke.dll c:\windows\system32\ied.exe c:\windows\system32\loxydo.pif c:\windows\system32\mcvowdhmpaic.exe c:\windows\system32\miniport_mp.exe c:\windows\system32\suwcamwo.dll c:\windows\system32\tljcdpkpffbgtpt.dll c:\windows\system32\winproc32.exe c:\windows\Tasks\At1.job c:\windows\Tasks\At10.job c:\windows\Tasks\At11.job c:\windows\Tasks\At12.job c:\windows\Tasks\At13.job c:\windows\Tasks\At14.job c:\windows\Tasks\At15.job c:\windows\Tasks\At16.job c:\windows\Tasks\At17.job c:\windows\Tasks\At18.job c:\windows\Tasks\At19.job c:\windows\Tasks\At2.job c:\windows\Tasks\At20.job c:\windows\Tasks\At21.job c:\windows\Tasks\At22.job c:\windows\Tasks\At23.job c:\windows\Tasks\At24.job c:\windows\Tasks\At3.job c:\windows\Tasks\At4.job c:\windows\Tasks\At5.job c:\windows\Tasks\At6.job c:\windows\Tasks\At7.job c:\windows\Tasks\At8.job c:\windows\Tasks\At9.job . ((((((((((((((((((((((((( Files Created from 2008-10-09 to 2008-11-09 ))))))))))))))))))))))))))))))) . 2008-11-06 00:24 . 2008-11-08 11:39 6,540,832 --ahs---- c:\windows\system32\drivers\fidbox.dat 2008-11-06 00:24 . 2008-11-08 21:37 507,936 --ahs---- c:\windows\system32\drivers\fidbox2.dat 2008-11-06 00:24 . 2008-11-08 11:39 52,180 --ahs---- c:\windows\system32\drivers\fidbox.idx 2008-11-06 00:24 . 2008-11-08 21:37 2,816 --ahs---- c:\windows\system32\drivers\fidbox2.idx 2008-11-05 23:56 . 2008-11-06 00:39 96,976 --a------ c:\windows\system32\drivers\klin.dat 2008-11-05 23:56 . 2008-11-05 23:56 87,855 --a------ c:\windows\system32\drivers\klick.dat 2008-11-05 23:51 . 2008-11-08 15:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab 2008-11-05 23:17 . 2008-11-05 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-11-05 19:08 . 2008-11-05 19:08 552 --a------ c:\windows\system32\d3d8caps.dat 2008-11-02 13:56 . 2008-11-02 13:58 <DIR> d-------- C:\rsit 2008-11-02 00:41 . 2008-11-02 00:47 250 --a------ c:\windows\gmer.ini 2008-11-01 23:03 . 2008-11-01 23:03 18,507 --a------ c:\windows\system32\igine.db 2008-11-01 23:03 . 2008-11-01 23:03 13,081 --a------ c:\program files\Common Files\erib.bin 2008-11-01 09:31 . 2008-11-05 22:37 <DIR> d-------- C:\quarantine 2008-10-24 12:14 . 2008-10-15 11:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-16 10:06 . 2008-09-08 05:41 333,824 --a--c--- c:\windows\system32\dllcache\srv.sys 2008-10-16 10:01 . 2008-08-14 05:11 2,189,184 --a--c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 10:01 . 2008-08-14 05:09 2,145,280 --a--c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-16 10:01 . 2008-09-15 07:12 1,846,400 --a--c--- c:\windows\system32\dllcache\win32k.sys 2008-10-16 10:00 . 2008-08-14 04:33 2,066,048 --a--c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 10:00 . 2008-08-14 04:33 2,023,936 --a--c--- c:\windows\system32\dllcache\ntkrpamp.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-07 06:57 --------- d-----w c:\program files\QuickTime 2008-11-07 06:55 --------- d-----w c:\program files\Common Files\Real 2008-11-06 04:51 --------- d-----w c:\program files\Kaspersky Lab 2008-11-06 04:42 --------- d-----w c:\program files\Spybot - Search & Destroy 2008-11-06 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2008-11-02 18:57 --------- d-----w c:\program files\Trend Micro 2008-11-02 05:31 --------- d-----w c:\program files\LimeWire 2008-10-23 14:57 --------- d-----w c:\program files\Microsoft Silverlight 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-12 21:33 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Move Networks 2008-09-11 23:23 --------- d-----w c:\documents and settings\Edlaze500\Application Data\Leadertech 2008-09-05 20:55 77,824 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\WinVerifyTrust.dll 2008-09-05 20:55 159,744 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHButton.exe 2008-09-05 20:55 122,880 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\SearchCtrl.dll 2008-09-05 20:54 49,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PCHI18N.dll 2008-09-05 20:54 420,432 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\pchplugin.zip 2008-09-05 20:54 126,976 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\ContentUpdater.exe 2008-09-05 20:54 106,496 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\PluginCtrl.dll 2008-09-05 20:53 1,306,152 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Pavilion\XPENABS3EN\plugin\bin\motdeusr.zip 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe 2005-01-27 02:07 0 --sh--r c:\program files\q330994.exe 2005-01-27 02:07 0 --sh--r c:\windows\dlm.exe 2005-01-27 02:07 0 --sh--r c:\windows\ntldr.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "NVIEW"="nview.dll" [2003-07-28 c:\windows\system32\nview.dll] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2008-04-13 50176] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "KYE_Showicon"="c:\program files\USB Storage RW\shwicon.exe" [2002-10-25 69632] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 69632] "KBD"="c:\hp\KBD\KBD.EXE" [2003-02-11 61440] "StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 155648] "WCOLOREAL"="c:\program files\Coloreal\coloreal.exe" [2002-11-26 131072] "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992] "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472] "ServiceLayer"="c:\program files\Common Files\Nokia\Services\ServiceLayer.exe" [2002-10-16 69632] "Nokia Tray Application"="c:\program files\Common Files\Nokia\NCLTools\NclTray.exe" [2002-10-22 598016] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2003-07-28 49152] "HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "DVDTray"="c:\program files\HP DVD\Umbrella\DVDTray.exe" [2003-07-23 65536] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-02-19 267048] "ABBYY Community Agent"="c:\program files\ABBYY FineReader 5.0 Sprint\CAgent.exe" [2002-03-20 253952] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088] "nwiz"="nwiz.exe" [2003-07-28 c:\windows\system32\nwiz.exe] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.DIV3"= DIVXc32.dll "vidc.DIV4"= DIVXc32f.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Cisco Systems\\VPN Client\\vpngui.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\eMule\\emule.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784] R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544] R3 hcwPVRP2;Hauppauge WinTV PVR PCI II (Encoder);c:\windows\system32\DRIVERS\hcwPVRP2.sys [2003-02-19 1031520] R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640] R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] R3 RimSerPort;RIM Virtual Serial Port;c:\windows\system32\DRIVERS\RimSerial.sys [2004-08-06 17920] S3 pc22nd5;Toshiba PCX2200 USB Cable Modem networking driver (NDIS);c:\windows\system32\DRIVERS\pc22nd5.sys [2001-11-09 17648] S3 pc22unic;Toshiba PCX2200 USB Cable Modem WDM driver;c:\windows\system32\DRIVERS\pc22unic.sys [2001-11-09 69744] S3 PCDRDRV;Pcdr Helper Driver;c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [ ] Newly Created Service - CATCHME . Contents of the 'Scheduled Tasks' folder 2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-08 21:48:52 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-11-08 21:53:21 ComboFix-quarantined-files.txt 2008-11-09 02:52:41 ComboFix2.txt 2008-11-08 08:13:04 Pre-Run: 10,739,957,760 bytes free Post-Run: 10,741,198,848 bytes free 223 --- E O F --- 2008-10-24 22:01:58 # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3597 (20081108) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=c163db1d8b2b6145a9137a5459c00ddc # end=finished # remove_checked=true # unwanted_checked=true # utc_time=2008-11-09 05:21:01 # local_time=2008-11-09 12:21:01 (-0500, Eastern Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=720500 # found=7 # scan_time=8183 C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip Java/TrojanDownloader.OpenStream.NAA trojan (deleted) 00000000000000000000000000000000 C:\Documents and Settings\Edlaze500\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\OP.jar-4b9c0e39-5851bd08.zip »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAA trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip Win32/Adware.GooochiBiz application (deleted) 00000000000000000000000000000000 C:\Qoobox\Quarantine\[4]-Submit_2008-11-08@21.41.zip »ZIP »tljcdpkpffbgtpt.dll Win32/Adware.GooochiBiz application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkhysqg.dll.vir Win32/Adware.Virtumonde.NDF application (unable to clean - deleted) 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Win32/Adware.BHO.NEW application (unable to clean - deleted) 00000000000000000000000000000000 C:\Qoobox\Quarantine\C\WINDOWS\system32\wpv106.cpx.vir Win32/TrojanDownloader.Agent.OKY trojan (unable to clean - deleted) 00000000000000000000000000000000 _________________________________________________________________________________ Service Service load: 0% 100% File: erib.bin Status: OK MD5: cff28e70d27c3035809f8c2e9d9f012f Packers detected: - Scanner results Scan taken on 09 Nov 2008 07:28:40 (GMT) A-Squared Found nothing AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing CPsecure Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing G DATA Found nothing Ikarus Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing Panda Antivirus Found nothing Sophos Antivirus Found nothing VirusBuster Found nothing VBA32 Found nothing

11-09-2008, 02:59 AM	#7 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hi Your logs are clean ================= The following procedure will clear out the tools we've used as well as the backups and quarantines created by the fix. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point. Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK: ComboFix /u To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page. IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released. In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein MAKING INTERNET EXPLORER SAFER Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. ================= Follow the list above and the potential for infection will reduce dramatically. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat**

11-09-2008, 11:19 AM	#8 (permalink)
ericgarcb Registered User Join Date: Jan 2005 Posts: 30 OS: winxp	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hi again, Thanks, my computer is running smoothly!! I installed the programs you suggested. What anti-virus/Firewall/Internet Security program would you suggest? Which do you believe is the most effective out there? Thank you, Eric

11-09-2008, 12:15 PM	#9 (permalink)
alba Analyst, Security Team Join Date: Feb 2005 Location: Eire Posts: 2,006 OS: Vista, Ubuntu 8.04	Re: Infected by vundo.gen.k (trojan) and pop ups abound Hi ericgarcb Please choose one from any of these 3 programs which are free for home use: AVG Anti-Virus Avast Home Edition I also recommend doing the following Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 10. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. __________________ Member of UNITE If I have helped you in anyway, please DONATE to TSF Go raibh maith agat Last edited by alba; 11-09-2008 at 12:26 PM.