Vundo!grb trojan keeps coming back

rswanson25 · 03-27-2009, 08:10 AM

OS is Win XP Home with SP3 and McAfee identifies and quarantines Vundo!grb but it keeps coming back. McAfee shows original locations as C:\WINDOWS\system32. File names are random with .dll or .tmp extentions. I'm experiencing pop ups that usually advertise some type of virus scan software and have had the computer freeze a couple of times in the last three days. I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it?
Here is the DDS.txt copy:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bob Swanson at 9:14:21.45 on Fri 03/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2884 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Bob Swanson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.refdesk.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {5BED3930-2E9E-76D8-BACC-80DF2188D455} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Error Nuker] c:\program files\error nuker\bin\ErrorNuker.exe autostart
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [masqform.exe] c:\program files\pureedge\viewer 6.5\masqform.exe -RunOnce
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [HPHmon04] c:\windows\system32\hphmon04.exe
mRun: [HPHUPD04] "c:\program files\hp photosmart 11\hphinstall\unipatch\hphupd04.exe"
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\hp share-to-web\hpgs2wnd.exe
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music engine\ymetray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://media3.keytrain.com/player/IE/awswaxd.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224001022372
DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} - hxxp://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\windows\system32\mavulawu.dll c:\windows\system32\hunejuho.dll fghxud.dll szkrcd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\mavulawu.dll c:\windows\system32\hunejuho.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bobswa~1\applic~1\mozilla\firefox\profiles\bdw5udla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-7-5 201320]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-7-5 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-7-5 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-7-5 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-7-5 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-7-5 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-7-5 40488]
S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\google\update\GoogleUpdate.exe [2009-2-5 133104]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-7-5 33832]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

=============== Created Last 30 ================

2009-03-26 20:54 3,290,873 ---sh--- c:\windows\system32\iyazepij.ini
2009-03-25 08:54 129,024 a--sh--- c:\windows\system32\fghxud.dll
2009-03-24 20:54 129,024 a--sh--- c:\windows\system32\qamoju.dll
2009-03-24 08:53 128,000 a--sh--- c:\windows\system32\mlbczg.dll
2009-03-23 20:53 129,024 a--sh--- c:\windows\system32\sgkykb.dll
2009-03-23 08:53 128,000 a--sh--- c:\windows\system32\raxtjf.dll
2009-03-22 20:53 127,488 a--sh--- c:\windows\system32\wpxkuh.dll
2009-03-22 08:54 128,512 a--sh--- c:\windows\system32\jvlkxl.dll
2009-03-21 20:53 129,536 a--sh--- c:\windows\system32\ugmcsj.dll
2009-03-21 20:46 58,368 a------- c:\windows\system32\~.exe
2009-03-19 07:54 <DIR> --d----- c:\program files\iPod
2009-03-19 07:54 <DIR> --d----- c:\program files\iTunes
2009-03-19 07:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 07:49 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

==================== Find3M ====================

2009-03-26 20:54 61,440 a--sh--- c:\windows\system32\dorebobo.exe
2009-03-26 08:54 128,000 a--sh--- c:\windows\system32\gananiro.dll
2009-03-25 20:54 128,512 a--sh--- c:\windows\system32\huhugafe.dll
2009-03-25 20:54 90,624 -------- c:\windows\system32\kipogewu.dll
2009-03-25 08:54 129,024 a--sh--- c:\windows\system32\pihuhiru.dll
2009-03-24 20:54 129,024 a--sh--- c:\windows\system32\sipewise.dll
2009-03-24 20:54 95,232 a--sh--- c:\windows\system32\kelesopu.dll
2009-03-24 20:54 89,088 -------- c:\windows\system32\gijimedo.dll
2009-03-24 08:53 128,000 a--sh--- c:\windows\system32\suhidonu.dll
2009-03-24 08:53 94,208 a--sh--- c:\windows\system32\fukafati.dll
2009-03-24 08:53 90,624 -------- c:\windows\system32\puhafewu.dll
2009-03-23 20:53 129,024 a--sh--- c:\windows\system32\jijoyowe.dll
2009-03-23 20:53 89,088 -------- c:\windows\system32\tonosile.dll
2009-03-23 20:53 94,720 a--sh--- c:\windows\system32\tibufenu.dll
2009-03-23 08:53 128,000 a--sh--- c:\windows\system32\zezurula.dll
2009-03-23 08:53 94,720 a--sh--- c:\windows\system32\vusilina.dll
2009-03-23 08:53 89,600 -------- c:\windows\system32\jibuvuna.dll
2009-03-22 20:52 127,488 a--sh--- c:\windows\system32\dedufaro.dll
2009-03-22 20:52 96,256 a--sh--- c:\windows\system32\wulivizu.dll
2009-03-22 20:52 90,112 a--sh--- c:\windows\system32\tukusoki.dll
2009-03-22 08:53 128,512 a--sh--- c:\windows\system32\durumiho.dll
2009-03-22 08:53 94,720 a--sh--- c:\windows\system32\bulilufu.dll
2009-03-22 08:53 90,624 -------- c:\windows\system32\kosilalo.dll
2009-03-21 20:52 90,624 -------- c:\windows\system32\kateroni.dll
2009-03-21 20:52 129,536 a--sh--- c:\windows\system32\fefiyiri.dll
2009-03-21 20:52 95,232 a--sh--- c:\windows\system32\howiduga.dll
2009-03-19 08:23 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-04 10:12 35,624 a------- c:\docume~1\bobswa~1\applic~1\GDIPFONTCACHEV1.DAT
2008-05-11 19:00 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2006-01-06 15:42 127,968 a------- c:\program files\Re
0000-00-00 00:00 58,368 a--sh--- c:\windows\system32\bojigenu.dll
0000-00-00 00:00 58,368 a--sh--- c:\windows\system32\kipipasu.dll
2008-09-10 16:11 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 9:15:44.32 ===============

Clark76 · 03-27-2009, 09:05 PM

Hello and welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------

Quote:

I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it

That can always be a possibility but there are many different ways you can get infected now a days. P2P is just one of many different ways sadly

---------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

rswanson25 · 03-29-2009, 12:46 PM

Thank you Clark. I thought I had selected immediate notification, but I never received an email. Since my original post, I've been unable to return to this site (or just about any other site), so I checked using my wife's computer at her work and saw your post. I've downloaded ComboFix to a zip drive and will install it on my computer at home. Hopefully I will be sending you positive results soon. Again, I appreciate your help. Bob

Clark76 · 03-29-2009, 03:04 PM

Sorry about that. The site has been having some trouble with the email notifications. Lately it has been a hit or miss

I will be here when you have the requested log

rswanson25 · 03-29-2009, 06:36 PM

OK - progress is not good I'm sorry to report. I downloaded ComboFix to my desktop and double-clicked. I did not get the Open File - Security Warning screen as shown in the ComboFix guide. I did see the blue screen display, but there was no text present (as in "please wait. Combofix is preparing to run"). After a few seconds Windows shut down and I had the blue stop error screen. It said BAD_POOL_CALLER and said if this was the first time, to restart the computer. If it happened again I needed to disable new hardware or software, disable BIOS memory options. The technical code is 0x000000c2 (0x00000007, 0x00000cd4, 0x15ffff44d, 0x8053580d). I had another Combofix file saved on my desktop with a generic name (I had read some trojans are set up to handle fixit programs that are out) and I had the same results. So, I am on my wife's computer again working this thread. Would it be possible to give you my email address? That would make it easier on me to communicate. If you have access to my profile with you, you can get the email address off of that. I appreciate your help on this. Bob

Clark76 · 03-29-2009, 06:44 PM

Unfortunately I only provide support through the forums. Many of the tools I use are geared for forum work.

-----------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

-------------------

Now try running ComboFix again and let me know how it goes.

rswanson25 · 03-30-2009, 09:16 AM

Clark - I was able to run ComboFix. Here is the log.
ComboFix 09-03-29.02 - Bob Swanson 2009-03-30 10:15:26.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3260 [GMT -4:00]
Running from: c:\documents and settings\Bob Swanson\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\BOBSWA~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\BOBSWA~1\LOCALS~1\Temp\ntdll64.dll
c:\windows\system32\aliases.ini
c:\windows\system32\bubodozu.dll
c:\windows\system32\fghxud.dll
c:\windows\system32\forugaza.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\hesudobu.dll
c:\windows\system32\jalopeya.dll
c:\windows\system32\kosilalo.dll
c:\windows\system32\loviheti.dll
c:\windows\system32\nhser43uhjnefr.dll
c:\windows\system32\notopibi.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\pihuhiru.dll
c:\windows\system32\remote.ini
c:\windows\system32\servers.ini
c:\windows\system32\tuvafuye.dll
c:\windows\system32\uniq.tll
c:\windows\system32\waduyeso.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\wubajiro.dll
c:\windows\system32\yabohoyu.dll
c:\windows\system32\yawopadu.dll
c:\windows\system32\zafugiho.dll.vir

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 20:02 . 2009-03-29 20:02 <DIR> d-------- C:\Surf
2009-03-27 17:33 . 2009-03-27 17:34 156,160 --a------ c:\windows\aqovimov.dll
2009-03-27 17:18 . 2009-03-27 17:18 27,136 --a------ C:\vaybq.exe
2009-03-27 17:16 . 2009-03-27 17:16 40,448 --a------ C:\liymwuq.exe
2009-03-27 17:16 . 2009-03-27 17:17 7,680 --a------ C:\ijmaxk.exe
2009-03-27 17:15 . 2009-03-27 17:15 104,960 --a------ c:\windows\system32\dllcache\userinit.exe
2009-03-27 17:15 . 2009-03-27 17:15 27,136 --a------ C:\ajtbyh.exe
2009-03-27 17:15 . 2004-08-04 06:00 4,224 --a------ c:\windows\system32\drivers\OLD142.tmp
2009-03-27 17:14 . 2009-03-27 17:17 2 --a------ C:\1155482156
2009-03-27 17:13 . 2009-03-27 17:13 7,680 --a------ C:\wicnin.exe
2009-03-27 17:12 . 2009-03-27 17:12 40,448 --a------ c:\windows\Rreret.dll
2009-03-27 17:12 . 2009-03-27 17:12 40,448 --a------ C:\dmsiacq.exe
2009-03-27 17:12 . 2009-03-27 17:12 9,216 --a------ c:\windows\instsp2.exe
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\program files\iTunes
2009-03-19 07:54 . 2009-03-19 07:54 <DIR> d-------- c:\program files\iPod
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 07:51 . 2009-03-19 07:51 <DIR> d-------- c:\program files\QuickTime
2009-03-19 07:49 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 14:26 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition
2009-03-19 11:54 --------- d-----w c:\program files\Common Files\Apple
2009-03-19 11:53 --------- d-----w c:\program files\Bonjour
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-27 11:34 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 20:27 --------- d-----w c:\documents and settings\Bob Swanson\Application Data\U3
2009-02-12 14:04 --------- d-----w c:\program files\Quicken
2009-02-11 02:47 --------- d-----w c:\program files\Google
2009-01-29 01:01 --------- d-----w c:\documents and settings\Linda Swanson\Application Data\Move Networks
2008-12-12 00:58 35,624 ----a-w c:\documents and settings\Emily Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 15:16 35,624 ----a-w c:\documents and settings\Linda Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 14:12 35,624 ----a-w c:\documents and settings\Bob Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 20:12 31,736 ----a-w c:\documents and settings\Michael Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-05-11 23:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-10-18 20:23 1,762,304 ----a-w c:\documents and settings\Michael Swanson\ClearN7_1.exe
2007-10-18 19:27 1,394,568 ----a-w c:\documents and settings\Michael Swanson\install_easyshare.exe
2007-05-31 01:01 190,064 ----a-w c:\documents and settings\Michael Swanson\Morpheus.exe
2006-01-06 19:42 127,968 ----a-w c:\program files\Re
2008-09-10 20:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

------- Sigcheck -------

2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe
2009-03-27 17:15 104960 2e1acb5bdfb74aa2fd04546802b76b5f c:\windows\system32\userinit.exe
2009-03-27 17:15 104960 2e1acb5bdfb74aa2fd04546802b76b5f c:\windows\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 185896]
"Error Nuker"="c:\program files\Error Nuker\bin\ErrorNuker.exe" [2005-01-17 3002368]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"Fkojurovi"="c:\windows\Rreret.dll" [2009-03-27 40448]
"Jtezewu"="c:\windows\aqovimov.dll" [2009-03-27 156160]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-03-20 118784]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\vssvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\hphmon04.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S1 7b54a0e9;7b54a0e9;c:\windows\system32\drivers\7b54a0e9.sys --> c:\windows\system32\drivers\7b54a0e9.sys [?]
S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bb3ff6-ab43-11dd-b6ec-00123f6f9cbf}]
\shell\autorun\command - g:\windows\IronKey.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-26 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2009-03-25 c:\windows\Tasks\Java Update.job
- c:\program files\Java\jre1.6.0_05\bin\jucheck.exe [2008-02-22 04:25]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{c2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\nhser43uhjnefr.dll
SharedTaskScheduler-{C2BA40A2-74F3-42BD-F434-2604812C8954} - c:\windows\system32\nhser43uhjnefr.dll
Notify-ckpNotify - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.refdesk.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
FF - ProfilePath - c:\documents and settings\Bob Swanson\Application Data\Mozilla\Firefox\Profiles\bdw5udla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 10:53:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-30 10:59:22 - machine was rebooted [Bob Swanson]
ComboFix-quarantined-files.txt 2009-03-30 14:58:37

Pre-Run: 62,647,144,448 bytes free
Post-Run: 68,086,312,960 bytes free

257 --- E O F --- 2009-03-14 04:35:41

Let me know the next steps. Thanks. Bob

rswanson25 · 03-30-2009, 04:31 PM

I forgot to mention a couple of other things. 1) The recovery console did not install when I ran this initially. I was able to install it after ComboFix was completed. 2) ComboFix displayed a message that McAfee was still running and that might affect the outcome of the results. I don't know why this was displayed as I had disabled all the different configuration choices (firewall, virus, scripting, email, IM, etc.). 3) Should I run ComboFix one more time? Things appear to be returning back to normal, except my email is not displaying all of the graphics on an html email.
Again, thank you so much for your assistance. Bob

Clark76 · 03-30-2009, 04:45 PM

When you installed the recovery console did you do it through ComboFix and run a scan right afterwards? If so I would like to see the most recent log located here:C:\ComboFix.txt

If you did not run ComboFix right afterwards please do so now and post back with the log.

rswanson25 · 03-30-2009, 06:12 PM

I was able to run a good ComboFix procedure and the log is attached. Upon reboot, I received a RUNDLL Screen that had the message "Error loading C:\WINDOWS\Rreret.dll
The specified module could not be found."
Other than that, things are looking better. Thanks. Bob

ComboFix 09-03-29.04 - Bob Swanson 2009-03-30 19:41:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2991 [GMT -4:00]
Running from: c:\documents and settings\Bob Swanson\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 20:02 . 2009-03-29 20:02 <DIR> d-------- C:\Surf
2009-03-27 17:33 . 2009-03-27 17:34 156,160 --a------ c:\windows\aqovimov.dll
2009-03-27 17:18 . 2009-03-27 17:18 27,136 --a------ C:\vaybq.exe
2009-03-27 17:16 . 2009-03-27 17:16 40,448 --a------ C:\liymwuq.exe
2009-03-27 17:16 . 2009-03-27 17:17 7,680 --a------ C:\ijmaxk.exe
2009-03-27 17:15 . 2009-03-27 17:15 27,136 --a------ C:\ajtbyh.exe
2009-03-27 17:15 . 2004-08-04 06:00 4,224 --a------ c:\windows\system32\drivers\OLD142.tmp
2009-03-27 17:14 . 2009-03-27 17:17 2 --a------ C:\1155482156
2009-03-27 17:13 . 2009-03-27 17:13 7,680 --a------ C:\wicnin.exe
2009-03-27 17:12 . 2009-03-27 17:12 40,448 --a------ C:\dmsiacq.exe
2009-03-27 17:12 . 2009-03-27 17:12 9,216 --a------ c:\windows\instsp2.exe
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\program files\iTunes
2009-03-19 07:54 . 2009-03-19 07:54 <DIR> d-------- c:\program files\iPod
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 07:51 . 2009-03-19 07:51 <DIR> d-------- c:\program files\QuickTime
2009-03-19 07:49 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-12 06:39 . 2009-03-12 06:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 23:47 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition
2009-03-19 11:54 --------- d-----w c:\program files\Common Files\Apple
2009-03-19 11:53 --------- d-----w c:\program files\Bonjour
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-27 11:34 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 20:27 --------- d-----w c:\documents and settings\Bob Swanson\Application Data\U3
2009-02-12 14:04 --------- d-----w c:\program files\Quicken
2009-02-11 02:47 --------- d-----w c:\program files\Google
2009-01-29 01:01 --------- d-----w c:\documents and settings\Linda Swanson\Application Data\Move Networks
2008-12-12 00:58 35,624 ----a-w c:\documents and settings\Emily Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 15:16 35,624 ----a-w c:\documents and settings\Linda Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 14:12 35,624 ----a-w c:\documents and settings\Bob Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 20:12 31,736 ----a-w c:\documents and settings\Michael Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-05-11 23:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-10-18 20:23 1,762,304 ----a-w c:\documents and settings\Michael Swanson\ClearN7_1.exe
2007-10-18 19:27 1,394,568 ----a-w c:\documents and settings\Michael Swanson\install_easyshare.exe
2007-05-31 01:01 190,064 ----a-w c:\documents and settings\Michael Swanson\Morpheus.exe
2006-01-06 19:42 127,968 ----a-w c:\program files\Re
2008-09-10 20:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-30_10.57.20.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-30 22:29:33 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-30 22:29:33 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-30 22:29:33 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\dllcache\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe
- 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-03-30 23:47:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat
+ 2009-03-30 23:47:29 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 185896]
"Error Nuker"="c:\program files\Error Nuker\bin\ErrorNuker.exe" [2005-01-17 3002368]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888]
"Jtezewu"="c:\windows\aqovimov.dll" [2009-03-27 156160]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-03-20 118784]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-02-05 54512]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\vssvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\hphmon04.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S1 7b54a0e9;7b54a0e9;c:\windows\system32\drivers\7b54a0e9.sys --> c:\windows\system32\drivers\7b54a0e9.sys [?]
S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bb3ff6-ab43-11dd-b6ec-00123f6f9cbf}]
\shell\autorun\command - g:\windows\IronKey.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-26 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2009-03-25 c:\windows\Tasks\Java Update.job
- c:\program files\Java\jre1.6.0_05\bin\jucheck.exe [2008-02-22 04:25]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Fkojurovi - c:\windows\Rreret.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.refdesk.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
FF - ProfilePath - c:\documents and settings\Bob Swanson\Application Data\Mozilla\Firefox\Profiles\bdw5udla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 19:48:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\hphipm11.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-30 19:59:28 - machine was rebooted [Bob Swanson]
ComboFix-quarantined-files.txt 2009-03-30 23:58:08
ComboFix2.txt 2009-03-30 14:59:24

Pre-Run: 67,943,436,288 bytes free
Post-Run: 67,923,197,952 bytes free

234 --- E O F --- 2009-03-14 04:35:41

Clark76 · 03-30-2009, 08:27 PM

Hello again

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

-------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/360536-vundo-grb-trojan-keeps-coming-back.html#post2053127

Collect::
c:\windows\aqovimov.dll
C:\vaybq.exe
C:\liymwuq.exe
C:\ijmaxk.exe
C:\ajtbyh.exe
C:\wicnin.exe
C:\dmsiacq.exe
c:\windows\instsp2.exe

Suspect::
c:\windows\system32\drivers\7b54a0e9.sys

RegNull::
[HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook*]

Save this as "CFScript"

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

--------------------------

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

--------------------------

Please provide the following logs with your next post:

C:\ComboFix.txt
Kaspersky Report

Also include an update on how your system is running

rswanson25 · 03-31-2009, 03:21 PM

Here are the logs. As to how the system is running: it is a lot better!! I've noticed graphics are missing on emails and on McAfee's security control center. Any help with that would be appreciated. Thanks. Bob
ComboFix 09-03-30.04 - Bob Swanson 2009-03-31 14:21:32.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3016 [GMT -4:00]
Running from: c:\documents and settings\Bob Swanson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob Swanson\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dmsiacq.exe
C:\liymwuq.exe
c:\windows\aqovimov.dll
c:\windows\instsp2.exe

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-31 14:05 . 2009-03-31 14:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-31 13:15 . 2009-03-31 13:18 <DIR> d-------- c:\documents and settings\Bob Swanson\.SunDownloadManager
2009-03-29 20:02 . 2009-03-29 20:02 <DIR> d-------- C:\Surf
2009-03-27 17:15 . 2004-08-04 06:00 4,224 --a------ c:\windows\system32\drivers\OLD142.tmp
2009-03-27 17:14 . 2009-03-27 17:17 2 --a------ C:\1155482156
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\program files\iTunes
2009-03-19 07:54 . 2009-03-19 07:54 <DIR> d-------- c:\program files\iPod
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 07:51 . 2009-03-19 07:51 <DIR> d-------- c:\program files\QuickTime
2009-03-19 07:49 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-12 06:39 . 2009-03-12 06:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 18:04 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-03-31 17:53 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition
2009-03-31 17:50 --------- d-----w c:\program files\Rhapsody
2009-03-31 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo
2009-03-31 17:48 --------- d-----w c:\program files\Yahoo!
2009-03-31 17:45 --------- d-----w c:\program files\Java
2009-03-19 11:54 --------- d-----w c:\program files\Common Files\Apple
2009-03-19 11:53 --------- d-----w c:\program files\Bonjour
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-27 11:34 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 20:27 --------- d-----w c:\documents and settings\Bob Swanson\Application Data\U3
2009-02-12 14:04 --------- d-----w c:\program files\Quicken
2009-02-11 02:47 --------- d-----w c:\program files\Google
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-29 01:01 --------- d-----w c:\documents and settings\Linda Swanson\Application Data\Move Networks
2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-12-12 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 15:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-12 00:58 35,624 ----a-w c:\documents and settings\Emily Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll
2008-11-04 15:16 35,624 ----a-w c:\documents and settings\Linda Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 14:12 35,624 ----a-w c:\documents and settings\Bob Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 20:12 31,736 ----a-w c:\documents and settings\Michael Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-05-11 23:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-10-18 20:23 1,762,304 ----a-w c:\documents and settings\Michael Swanson\ClearN7_1.exe
2007-10-18 19:27 1,394,568 ----a-w c:\documents and settings\Michael Swanson\install_easyshare.exe
2007-05-31 01:01 190,064 ----a-w c:\documents and settings\Michael Swanson\Morpheus.exe
2006-01-06 19:42 127,968 ----a-w c:\program files\Re
2008-09-10 20:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-30_10.57.20.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-31 15:01:29 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-31 15:01:29 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-31 15:01:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\dllcache\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe
- 2009-03-19 12:23:58 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-03-31 18:04:58 144,792 ----a-w c:\windows\system32\java.exe
- 2009-03-19 12:23:59 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-31 18:04:58 144,792 ----a-w c:\windows\system32\javaw.exe
- 2009-03-19 12:23:59 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-31 18:04:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-03-31 17:53:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ac.dat
+ 2009-03-31 18:05:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_c5c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 185896]
"Error Nuker"="c:\program files\Error Nuker\bin\ErrorNuker.exe" [2005-01-17 3002368]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-31 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-03-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\vssvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\hphmon04.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S1 7b54a0e9;7b54a0e9;c:\windows\system32\drivers\7b54a0e9.sys --> c:\windows\system32\drivers\7b54a0e9.sys [?]
S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bb3ff6-ab43-11dd-b6ec-00123f6f9cbf}]
\shell\autorun\command - g:\windows\IronKey.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-26 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2009-03-25 c:\windows\Tasks\Java Update.job
- c:\program files\Java\jre1.6.0_05\bin\jucheck.exe []

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Jtezewu - c:\windows\aqovimov.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.refdesk.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
FF - ProfilePath - c:\documents and settings\Bob Swanson\Application Data\Mozilla\Firefox\Profiles\bdw5udla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 14:24:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-03-31 14:26:56
ComboFix-quarantined-files.txt 2009-03-31 18:26:34
ComboFix2.txt 2009-03-30 23:59:30
ComboFix3.txt 2009-03-30 14:59:24

Pre-Run: 68,994,859,008 bytes free
Post-Run: 69,082,222,592 bytes free

229 --- E O F --- 2009-03-14 04:35:41
_____________________
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 31, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 31, 2009 20:43:33
Records in database: 1990208
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 150445
Threat name: 6
Infected objects: 9
Suspicious objects: 8
Duration of the scan: 02:26:03

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 4
C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook.pst Infected: Email-Worm.Win32.Klez.h 2
C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook2.pst Suspicious: Exploit.HTML.Iframe.FileDownload 4
C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook2.pst Infected: Email-Worm.Win32.Klez.h 2
C:\Documents and Settings\Linda Swanson\Application Data\Sun\Java\Deployment\cache\6.0\36\710cee4-2ad372f8 Infected: Trojan-Downloader.Java.OpenConnection.ar 1
C:\Qoobox\Quarantine\C\DOCUME~1\BOBSWA~1\LOCALS~1\Temp\mousehook.dll.vir Infected: Trojan-Downloader.Win32.Agent.bphc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nhser43uhjnefr.dll.vir Infected: Trojan-Downloader.Win32.Small.ajst 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir Infected: Trojan-Dropper.Win32.Agent.akxv 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.akxv 1

The selected area was scanned.

Clark76 · 03-31-2009, 04:22 PM

Please submit the following file to Jotti File Scan

c:\windows\system32\drivers\7b54a0e9.sys

At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread.

If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html

rswanson25 · 04-01-2009, 05:30 AM

Both sites gave a message that the file was not found. I looked in the drivers folder and could not find it either.

Clark76 · 04-01-2009, 04:12 PM

One of the scanners we ran was not sure if the file was still there so we were just making sure.

---------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code:

Driver::
7b54a0e9

Save this as "CFScript"

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

-------------------------

In Outlook empty your deleted items folder and your junk mail folder.

--------------------------

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH Checked
- Applications and Applets
  Trace and Log Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

-----------------------------

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

--------------------------

Please provide the following logs with your next post:

C:\ComboFix.txt
Malwarebytes' Anti-Malware log

rswanson25 · 04-01-2009, 06:19 PM

The logs are displayed below. I tried to turn on automatic updates for windows and was unable. I tried services.msc and when I attempted to change automatic updates from disabled to automatic or manual an error screen popped when I pressed apply, that stated access was denied. Same message happened when I attempted to change BITS. On McAfee, I still do not have graphics. On Outlook (2002) graphics do not display unless you forward the email and then they display. I appreciate your help. Bob

ComboFix 09-04-01.01 - Bob Swanson 2009-04-01 19:20:41.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2815 [GMT -4:00]
Running from: c:\documents and settings\Bob Swanson\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob Swanson\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_7b54a0e9

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))
.

2009-03-31 14:05 . 2009-03-31 14:04 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-31 13:15 . 2009-03-31 13:18 <DIR> d-------- c:\documents and settings\Bob Swanson\.SunDownloadManager
2009-03-29 20:02 . 2009-03-29 20:02 <DIR> d-------- C:\Surf
2009-03-27 17:15 . 2004-08-04 06:00 4,224 --a------ c:\windows\system32\drivers\OLD142.tmp
2009-03-27 17:14 . 2009-03-27 17:17 2 --a------ C:\1155482156
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\program files\iTunes
2009-03-19 07:54 . 2009-03-19 07:54 <DIR> d-------- c:\program files\iPod
2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-19 07:51 . 2009-03-19 07:51 <DIR> d-------- c:\program files\QuickTime
2009-03-19 07:49 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-12 06:39 . 2009-03-12 06:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-01 23:24 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition
2009-03-31 17:50 --------- d-----w c:\program files\Rhapsody
2009-03-31 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo
2009-03-31 17:48 --------- d-----w c:\program files\Yahoo!
2009-03-31 17:45 --------- d-----w c:\program files\Java
2009-03-19 11:54 --------- d-----w c:\program files\Common Files\Apple
2009-03-19 11:53 --------- d-----w c:\program files\Bonjour
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-27 11:34 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 20:27 --------- d-----w c:\documents and settings\Bob Swanson\Application Data\U3
2009-02-12 14:04 --------- d-----w c:\program files\Quicken
2009-02-11 02:47 --------- d-----w c:\program files\Google
2008-12-12 00:58 35,624 ----a-w c:\documents and settings\Emily Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 15:16 35,624 ----a-w c:\documents and settings\Linda Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 14:12 35,624 ----a-w c:\documents and settings\Bob Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-10-09 20:12 31,736 ----a-w c:\documents and settings\Michael Swanson\Application Data\GDIPFONTCACHEV1.DAT
2008-05-11 23:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2007-10-18 20:23 1,762,304 ----a-w c:\documents and settings\Michael Swanson\ClearN7_1.exe
2007-10-18 19:27 1,394,568 ----a-w c:\documents and settings\Michael Swanson\install_easyshare.exe
2007-05-31 01:01 190,064 ----a-w c:\documents and settings\Michael Swanson\Morpheus.exe
2006-01-06 19:42 127,968 ----a-w c:\program files\Re
2008-09-10 20:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-30_10.57.20.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-04-01 19:12:12 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-04-01 19:12:12 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-19 12:23:58 410,984 ----a-w c:\windows\system32\deploytk.dll
+ 2009-03-31 18:04:57 410,984 ----a-w c:\windows\system32\deploytk.dll
- 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\dllcache\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe
- 2009-03-19 12:23:58 144,792 ----a-w c:\windows\system32\java.exe
+ 2009-03-31 18:04:58 144,792 ----a-w c:\windows\system32\java.exe
- 2009-03-19 12:23:59 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2009-03-31 18:04:58 144,792 ----a-w c:\windows\system32\javaw.exe
- 2009-03-19 12:23:59 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-31 18:04:58 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\userinit.exe
+ 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe
+ 2009-04-01 23:24:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b4.dat
+ 2009-04-01 23:24:16 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 185896]
"Error Nuker"="c:\program files\Error Nuker\bin\ErrorNuker.exe" [2005-01-17 3002368]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160]
"HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952]
"MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-31 148888]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-03-20 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\vssvc.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\WINDOWS\\system32\\hphmon04.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\WINDOWS\\stsystra.exe"=
"c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bb3ff6-ab43-11dd-b6ec-00123f6f9cbf}]
\Shell\AutoRun\command - g:\windows\IronKey.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-03-26 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50]

2009-03-25 c:\windows\Tasks\Java Update.job
- c:\program files\Java\jre1.6.0_05\bin\jucheck.exe []

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.refdesk.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
FF - ProfilePath - c:\documents and settings\Bob Swanson\Application Data\Mozilla\Firefox\Profiles\bdw5udla.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/
FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-01 19:27:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe?????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\MBK\MBackMonitor.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\hphipm11.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\vssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2009-04-01 19:36:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-01 23:36:41
ComboFix2.txt 2009-03-31 18:26:57
ComboFix3.txt 2009-03-30 23:59:30
ComboFix4.txt 2009-03-30 14:59:24

Pre-Run: 68,671,373,312 bytes free
Post-Run: 68,918,374,400 bytes free

240 --- E O F --- 2009-03-14 04:35:41
______________________________________

Malwarebytes' Anti-Malware 1.35
Database version: 1931
Windows 5.1.2600 Service Pack 3

4/1/2009 7:51:27 PM
mbam-log-2009-04-01 (19-51-27).txt

Scan type: Quick Scan
Objects scanned: 93203
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 13
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70004d5d-3bf6-4d51-43b2-02fc0002cdb5} (Rogue.Errorsafe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\error nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\backup (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\bin (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\config (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\doc (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\log (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\log (Rogue.ErrorNuker) -> Files: 888 -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\startup_log (Rogue.ErrorNuker) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Error Nuker\Error Nuker.lnk (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Error Nuker\Startup Manager.lnk (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Error Nuker\Uninstall Error Nuker.lnk (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Error Nuker\Web Home.lnk (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\uninstall.exe (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\bin\ErrorNuker.exe (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\bin\StartupManager.exe (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\config\drr_conf.ini (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\config\drr_english.ini (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\config\drr_support.ini (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\doc\errornuker.chm (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\doc\license.rtf (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\doc\readme.txt (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\doc\vssver.scc (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res\error_nuker.ico (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res\startup.ico (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res\uninst.ico (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res\vssver.scc (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res\~trash.ico (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Program Files\Error Nuker\res\~xpinstall.ico (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Error Nuker.lnk (Rogue.ErrorNuker) -> Quarantined and deleted successfully.
____________________________________

Error Nuker was a program I had installed, but I went ahead and deleted it anyway.

Clark76 · 04-01-2009, 07:32 PM

Quote:

I tried to turn on automatic updates for windows and was unable.

Did you try turning on automatic updates after running Malwarebytes or before?

Does it give you an error? If so what was it?

rswanson25 · 04-02-2009, 04:55 AM

Yes, I tried turning on auto updates both before and after Malwarebytes. At startup, I get a message that it is turned off and directed to click the balloon on the quick-start area of the task bar. That takes me to a Security Center popup where I tried to turn it on, but I get a message that the Security Center is unable to turn the service on. When I try Start-Run-services.msc and double click automatic updates, and change "disable" to "automatic" or "manual", when I click on apply I get a message that says "access is denied."

Clark76 · 04-02-2009, 06:28 AM

Let's try dial-a-fix

http://wiki.djlizard.net/Dial-a-fix

Download/save the program and extract to it's own folder.
In the WU/WUAU area click the button Flush SoftwareDistribution (Click Yes)
Tick all boxes in the WU/WUAU and Registration center area then click the Go button.

There is also a Policies area that will show any registry restrictions. Check on that, and fix any found.

rswanson25 · 04-02-2009, 07:43 AM

I ran the dial-a-fix and had some problems. Displayed below is what I just sent to them in an email along with their log:
I am working with tech support forums to get rid of the vundo!grb Trojan. That is complete, but I still have some issues left over and one of them involves “no access” to change the windows update feature to automatic. Here is their link. http://www.techsupportforum.com/secu...ming-back.html This has all of the details of what I’ve been going through.
I ran dial-a-fix and received the following 3 error screens:
1. Error 2147024891 was encountered while trying to unregister C:\WINDOWS\system32\wuaueng.dll. The error text is: Access is denied. Dial-a-fix currently has no suggestions for this error code. Please email dial-a-fix@DjLizard.net with a copy of the log pane and any details you can provide about this error.
2. An error occurred during registration of the file C:\WINDOWS\system32\wuaueng.dll (version 7.2.6001.788). The next dialog will contain an error code and possible suggestions.
3. Error 0x80070005: ‘Access denied’ It is suggested you run ‘Repair Permissions’ which is found in the Tools dialog. Windows XP Home users will need secedit.exe to perform the repair – http://DjLizard.net/software/secedit-sfx.exe

I ran the above and still cannot enable automatic updates. In fact, using start-run-services.msc, the “automatic updates” service is no longer displaying. The log is displayed below – thanks for your help.

Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log

DAF version: v0.60.0.24

--- System info ---
OS: Microsoft Windows XP Service Pack 3
IE version: 7.0.5730.13
MPC: 76477-OEM
CPU: Intel(R) Pentium(R) 4 CPU 3.00GHz (~2990MHz)
CPU: CPU is 64-bit or has 64-bit extensions
CPU: 2 CPU cores present
BIOS: 5/25/2005
Memory (approx): 2047MB
Uptime: 2 hour(s)
Current directory: C:\Documents and Settings\Bob Swanson\Desktop\Dial-a-fix-v0.60.0.24\Dial-a-fix-v0.60.0.24
---

4/2/2009 8:57:20 AM -- Dial-a-fix : [v0.60.0.24] -- started
8:57:20 AM | Policy scan started
8:57:20 AM | Policy scan ended - no restrictive policies were found
--- Flush SoftwareDistribution ---
--- Windows Update ---
--- Registration: Windows Update/Automatic Update DLLs ---
8:59:51 AM | Unregistered: C:\WINDOWS\system32\msxml.dll
8:59:51 AM | Registered: C:\WINDOWS\system32\msxml.dll
8:59:51 AM | Unregistered: C:\WINDOWS\system32\msxml2.dll
8:59:51 AM | Registered: C:\WINDOWS\system32\msxml2.dll
9:00:41 AM | Unregistered: C:\WINDOWS\system32\msxml3.dll
9:00:42 AM | Registered: C:\WINDOWS\system32\msxml3.dll
9:00:42 AM | Unregistered: C:\WINDOWS\system32\msxml4.dll
9:00:43 AM | Registered: C:\WINDOWS\system32\msxml4.dll
9:00:43 AM | Unregistered: C:\WINDOWS\system32\qmgr.dll
9:00:43 AM | Registered: C:\WINDOWS\system32\qmgr.dll
9:00:43 AM | Unregistered: C:\WINDOWS\system32\qmgrprxy.dll
9:00:43 AM | Registered: C:\WINDOWS\system32\qmgrprxy.dll
9:00:44 AM | Unregistered: C:\WINDOWS\system32\muweb.dll
9:00:44 AM | Registered: C:\WINDOWS\system32\muweb.dll
9:00:44 AM | Unregistered: C:\WINDOWS\system32\winhttp.dll
9:00:44 AM | Registered: C:\WINDOWS\system32\winhttp.dll
9:00:44 AM | Registered: C:\WINDOWS\system32\wuapi.dll
9:05:11 AM | Error during unregistration of C:\WINDOWS\system32\wuaueng.dll - version: 7.2.6001.788. The error returned is: Access is denied.
(-2147024891)
9:10:34 AM | Error during registration of C:\WINDOWS\system32\wuaueng.dll - version: 7.2.6001.788. The error returned is: Access is denied.
(-2147024891)
9:10:34 AM | Unregistered: C:\WINDOWS\system32\wuaueng1.dll
9:10:34 AM | Registered: C:\WINDOWS\system32\wuaueng1.dll
9:10:34 AM | Unregistered: C:\WINDOWS\system32\wucltui.dll
9:10:34 AM | Registered: C:\WINDOWS\system32\wucltui.dll
9:10:34 AM | Unregistered: C:\WINDOWS\system32\wups.dll
9:10:35 AM | Registered: C:\WINDOWS\system32\wups.dll
9:10:35 AM | Unregistered: C:\WINDOWS\system32\wups2.dll
9:10:35 AM | Registered: C:\WINDOWS\system32\wups2.dll
9:10:35 AM | Unregistered: C:\WINDOWS\system32\wuweb.dll
9:10:35 AM | Registered: C:\WINDOWS\system32\wuweb.dll
9:10:35 AM | Registered: C:\WINDOWS\system32\ole32.dll
--- SSL/HTTPS/Cryptography ---
9:10:39 AM | Executed 'cmd.exe /c rmdir /q /s C:\WINDOWS\system32\Catroot2'
--- Registration: SSL/HTTPS/Cryptography ---
9:10:39 AM | Unregistered: C:\WINDOWS\system32\cryptdlg.dll
9:10:39 AM | Registered: C:\WINDOWS\system32\cryptdlg.dll
9:10:39 AM | Unregistered: C:\WINDOWS\system32\cryptui.dll
9:10:39 AM | Registered: C:\WINDOWS\system32\cryptui.dll
9:10:40 AM | Unregistered: C:\WINDOWS\system32\cryptext.dll
9:10:40 AM | Registered: C:\WINDOWS\system32\cryptext.dll
9:10:40 AM | Unregistered: C:\WINDOWS\system32\dssenh.dll
9:10:40 AM | Registered: C:\WINDOWS\system32\dssenh.dll
9:10:41 AM | Unregistered: C:\WINDOWS\system32\gpkcsp.dll
9:10:41 AM | Registered: C:\WINDOWS\system32\gpkcsp.dll
9:10:42 AM | Unregistered: C:\WINDOWS\system32\initpki.dll
9:11:17 AM | Registered: C:\WINDOWS\system32\initpki.dll
9:11:18 AM | Unregistered: C:\WINDOWS\system32\licdll.dll
9:11:18 AM | Registered: C:\WINDOWS\system32\licdll.dll
9:11:18 AM | Unregistered: C:\WINDOWS\system32\mssign32.dll
9:11:18 AM | Registered: C:\WINDOWS\system32\mssign32.dll
9:11:18 AM | Unregistered: C:\WINDOWS\system32\mssip32.dll
9:11:18 AM | Registered: C:\WINDOWS\system32\mssip32.dll
9:11:21 AM | Unregistered: C:\WINDOWS\system32\scardssp.dll
9:11:21 AM | Registered: C:\WINDOWS\system32\scardssp.dll
9:11:21 AM | Unregistered: C:\WINDOWS\system32\sccbase.dll
9:11:21 AM | Registered: C:\WINDOWS\system32\sccbase.dll
9:11:21 AM | Unregistered: C:\WINDOWS\system32\scecli.dll
9:11:21 AM | Registered: C:\WINDOWS\system32\scecli.dll
9:11:21 AM | Unregistered: C:\WINDOWS\system32\softpub.dll
9:11:21 AM | Registered: C:\WINDOWS\system32\softpub.dll
9:11:21 AM | Unregistered: C:\WINDOWS\system32\slbcsp.dll
9:11:21 AM | Registered: C:\WINDOWS\system32\slbcsp.dll
9:11:22 AM | Unregistered: C:\WINDOWS\system32\regwizc.dll
9:11:22 AM | Registered: C:\WINDOWS\system32\regwizc.dll
9:11:22 AM | Unregistered: C:\WINDOWS\system32\rsaenh.dll
9:11:22 AM | Registered: C:\WINDOWS\system32\rsaenh.dll
9:11:22 AM | Unregistered: C:\WINDOWS\system32\winhttp.dll
9:11:22 AM | Registered: C:\WINDOWS\system32\winhttp.dll
9:11:22 AM | Unregistered: C:\WINDOWS\system32\wintrust.dll
9:11:22 AM | Registered: C:\WINDOWS\system32\wintrust.dll
--- Registration: ActiveX controls/codecs ---
9:11:23 AM | Registered: C:\WINDOWS\system32\acelpdec.ax
9:11:23 AM | Registered: C:\WINDOWS\system32\actxprxy.dll
9:11:23 AM | Registered: C:\WINDOWS\system32\asctrls.ocx
9:11:23 AM | Registered: C:\WINDOWS\system32\daxctle.ocx
9:11:24 AM | Registered: C:\WINDOWS\system32\hhctrl.ocx
9:11:24 AM | Registered: C:\WINDOWS\system32\l3codecx.ax
9:11:24 AM | Registered: C:\WINDOWS\system32\licmgr10.dll
9:11:24 AM | Registered: C:\WINDOWS\system32\mpg4ds32.ax
9:11:40 AM | Registered: C:\WINDOWS\system32\msdxm.ocx
9:11:41 AM | Registered: C:\WINDOWS\system32\proctexe.ocx
9:11:41 AM | Registered: C:\WINDOWS\system32\tdc.ocx
9:11:41 AM | Registered: C:\WINDOWS\system32\wshom.ocx
--- Registration: Control Panel applets ---
9:11:43 AM | DllInstalled: C:\WINDOWS\system32\inetcpl.cpl
9:11:43 AM | DllInstalled: C:\WINDOWS\system32\nusrmgr.cpl
9:11:43 AM | Registered: C:\WINDOWS\system32\nusrmgr.cpl
--- Registration: Direct[X|Draw|Show|Media] ---
9:11:43 AM | Registered: C:\WINDOWS\system32\quartz.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\danim.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\dmscript.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\dmstyle.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\dxmasf.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\dxtmsft.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\dxtrans.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\sbe.dll
--- Registration: Programming cores/runtimes ---
9:11:45 AM | Registered: C:\WINDOWS\system32\atl.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\corpol.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\jscript.dll
9:11:45 AM | Registered: C:\WINDOWS\system32\dispex.dll
9:11:46 AM | Registered: C:\WINDOWS\system32\scrrun.dll
9:11:46 AM | Registered: C:\WINDOWS\system32\scrobj.dll
9:11:46 AM | Registered: C:\WINDOWS\system32\vbscript.dll
9:11:46 AM | Registered: C:\WINDOWS\system32\wshext.dll
--- Registration: Explorer/IE/OE/shell/WMP ---
9:11:46 AM | Registered: C:\WINDOWS\system32\activeds.dll
9:11:46 AM | Registered: C:\WINDOWS\system32\audiodev.dll
9:11:46 AM | Registered: C:\WINDOWS\system32\browsewm.dll
9:11:47 AM | Registered: C:\WINDOWS\system32\cabview.dll
9:11:47 AM | Registered: C:\WINDOWS\system32\cdfview.dll
9:11:47 AM | Registered: C:\WINDOWS\system32\clbcatex.dll
9:11:47 AM | Registered: C:\WINDOWS\system32\clbcatq.dll
9:11:47 AM | Registered: C:\WINDOWS\system32\comcat.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\cscui.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\credui.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\datime.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\devmgr.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\dfsshlex.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\dmdlgs.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\dmdskmgr.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\dmloader.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\dmocx.dll
9:11:48 AM | Registered: C:\WINDOWS\system32\dmview.ocx
9:11:48 AM | DllInstalled: C:\WINDOWS\system32\dsuiext.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\dsuiext.dll
9:11:49 AM | DllInstalled: C:\WINDOWS\system32\dsquery.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\dsquery.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\dskquoui.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\els.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\es.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\fontext.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\hlink.dll
9:11:49 AM | Registered: C:\WINDOWS\system32\hnetcfg.dll
9:11:50 AM | Registered: C:\WINDOWS\system32\iedkcs32.dll
9:11:50 AM | Registered: C:\WINDOWS\system32\iepeers.dll
9:11:50 AM | Registered: C:\WINDOWS\system32\ils.dll
9:11:50 AM | Registered: C:\WINDOWS\system32\inetcfg.dll
9:11:51 AM | Registered: C:\WINDOWS\system32\inetcomm.dll
9:11:51 AM | Registered: C:\WINDOWS\system32\laprxy.dll
9:11:52 AM | Registered: C:\WINDOWS\system32\lmrt.dll
9:11:53 AM | Registered: C:\WINDOWS\system32\mlang.dll
9:11:54 AM | Registered: C:\WINDOWS\system32\mmcndmgr.dll
9:11:58 AM | Registered: C:\WINDOWS\system32\mmcshext.dll
9:11:58 AM | Registered: C:\WINDOWS\system32\mscoree.dll
9:11:58 AM | Registered: C:\WINDOWS\system32\mshtmled.dll
9:11:58 AM | Registered: C:\WINDOWS\system32\msoeacct.dll
9:11:58 AM | Registered: C:\WINDOWS\system32\msr2c.dll
9:11:58 AM | DllInstalled: C:\WINDOWS\system32\mydocs.dll
9:11:58 AM | Registered: C:\WINDOWS\system32\mydocs.dll
9:11:59 AM | Registered: C:\WINDOWS\system32\mstime.dll
9:11:59 AM | Registered: C:\WINDOWS\system32\netcfgx.dll
9:11:59 AM | DllInstalled: C:\WINDOWS\system32\netplwiz.dll
9:11:59 AM | Registered: C:\WINDOWS\system32\netplwiz.dll
9:11:59 AM | Registered: C:\WINDOWS\system32\netman.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\netshell.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\ntmsevt.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\ntmsmgr.dll
9:12:01 AM | DllInstalled: C:\WINDOWS\system32\ntmssvc.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\ntmssvc.dll
9:12:01 AM | DllInstalled: C:\WINDOWS\system32\occache.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\occache.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\ole32.dll
9:12:01 AM | Registered: C:\WINDOWS\system32\oleaut32.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\oleacc.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\olepro32.dll
9:12:02 AM | DllInstalled: C:\WINDOWS\system32\photowiz.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\photowiz.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\remotepg.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\rpcrt4.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\rshx32.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\sendmail.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\slayerxp.dll
9:12:02 AM | Registered: C:\WINDOWS\system32\shell32.dll
9:12:12 AM | DllInstalled: C:\WINDOWS\system32\shell32.dll
9:12:13 AM | Registered: C:\WINDOWS\system32\shmedia.dll
9:12:14 AM | DllInstalled: C:\WINDOWS\system32\shimgvw.dll
9:12:16 AM | Registered: C:\WINDOWS\system32\shimgvw.dll
9:12:16 AM | DllInstalled: C:\WINDOWS\system32\shsvcs.dll
9:12:16 AM | Registered: C:\WINDOWS\system32\shsvcs.dll
9:12:16 AM | Registered: C:\WINDOWS\system32\srclient.dll
9:12:16 AM | Unregistered: C:\WINDOWS\system32\stobject.dll
9:12:16 AM | Registered: C:\WINDOWS\system32\stobject.dll
9:12:16 AM | Registered: C:\WINDOWS\system32\twext.dll
9:12:18 AM | DllInstalled: C:\WINDOWS\system32\urlmon.dll
9:12:18 AM | Registered: C:\WINDOWS\system32\urlmon.dll
9:12:18 AM | Registered: C:\WINDOWS\system32\userenv.dll
9:12:18 AM | Registered: C:\WINDOWS\system32\winhttp.dll
9:12:18 AM | DllInstalled: C:\WINDOWS\system32\wininet.dll
9:12:19 AM | Registered: C:\WINDOWS\system32\zipfldr.dll
9:12:19 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
9:12:19 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
9:12:19 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
9:12:20 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
9:12:22 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
9:12:22 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
9:12:22 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
9:12:23 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
9:12:23 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
9:12:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
9:12:24 AM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
9:12:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
9:12:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
9:12:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
9:12:25 AM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll

03-29-2009, 12:46 PM	#3 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back Thank you Clark. I thought I had selected immediate notification, but I never received an email. Since my original post, I've been unable to return to this site (or just about any other site), so I checked using my wife's computer at her work and saw your post. I've downloaded ComboFix to a zip drive and will install it on my computer at home. Hopefully I will be sending you positive results soon. Again, I appreciate your help. Bob

03-29-2009, 03:04 PM	#4 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back Sorry about that. The site has been having some trouble with the email notifications. Lately it has been a hit or miss I will be here when you have the requested log __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum

03-29-2009, 06:36 PM	#5 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back OK - progress is not good I'm sorry to report. I downloaded ComboFix to my desktop and double-clicked. I did not get the Open File - Security Warning screen as shown in the ComboFix guide. I did see the blue screen display, but there was no text present (as in "please wait. Combofix is preparing to run"). After a few seconds Windows shut down and I had the blue stop error screen. It said BAD_POOL_CALLER and said if this was the first time, to restart the computer. If it happened again I needed to disable new hardware or software, disable BIOS memory options. The technical code is 0x000000c2 (0x00000007, 0x00000cd4, 0x15ffff44d, 0x8053580d). I had another Combofix file saved on my desktop with a generic name (I had read some trojans are set up to handle fixit programs that are out) and I had the same results. So, I am on my wife's computer again working this thread. Would it be possible to give you my email address? That would make it easier on me to communicate. If you have access to my profile with you, you can get the email address off of that. I appreciate your help on this. Bob

03-29-2009, 06:44 PM	#6 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back Unfortunately I only provide support through the forums. Many of the tools I use are geared for forum work. ----------------- Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ------------------- Now try running ComboFix again and let me know how it goes. __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum

03-30-2009, 09:16 AM	#7 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back Clark - I was able to run ComboFix. Here is the log. ComboFix 09-03-29.02 - Bob Swanson 2009-03-30 10:15:26.1 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3260 [GMT -4:00] Running from: c:\documents and settings\Bob Swanson\Desktop\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\BOBSWA~1\LOCALS~1\Temp\mousehook.dll c:\docume~1\BOBSWA~1\LOCALS~1\Temp\ntdll64.dll c:\windows\system32\aliases.ini c:\windows\system32\bubodozu.dll c:\windows\system32\fghxud.dll c:\windows\system32\forugaza.dll c:\windows\system32\frmwrk32.exe c:\windows\system32\hesudobu.dll c:\windows\system32\jalopeya.dll c:\windows\system32\kosilalo.dll c:\windows\system32\loviheti.dll c:\windows\system32\nhser43uhjnefr.dll c:\windows\system32\notopibi.dll c:\windows\system32\ntdll64.exe c:\windows\system32\pihuhiru.dll c:\windows\system32\remote.ini c:\windows\system32\servers.ini c:\windows\system32\tuvafuye.dll c:\windows\system32\uniq.tll c:\windows\system32\waduyeso.dll c:\windows\system32\warning.gif c:\windows\system32\win32hlp.cnf c:\windows\system32\wubajiro.dll c:\windows\system32\yabohoyu.dll c:\windows\system32\yawopadu.dll c:\windows\system32\zafugiho.dll.vir . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 ))))))))))))))))))))))))))))))) . 2009-03-29 20:02 . 2009-03-29 20:02 <DIR> d-------- C:\Surf 2009-03-27 17:33 . 2009-03-27 17:34 156,160 --a------ c:\windows\aqovimov.dll 2009-03-27 17:18 . 2009-03-27 17:18 27,136 --a------ C:\vaybq.exe 2009-03-27 17:16 . 2009-03-27 17:16 40,448 --a------ C:\liymwuq.exe 2009-03-27 17:16 . 2009-03-27 17:17 7,680 --a------ C:\ijmaxk.exe 2009-03-27 17:15 . 2009-03-27 17:15 104,960 --a------ c:\windows\system32\dllcache\userinit.exe 2009-03-27 17:15 . 2009-03-27 17:15 27,136 --a------ C:\ajtbyh.exe 2009-03-27 17:15 . 2004-08-04 06:00 4,224 --a------ c:\windows\system32\drivers\OLD142.tmp 2009-03-27 17:14 . 2009-03-27 17:17 2 --a------ C:\1155482156 2009-03-27 17:13 . 2009-03-27 17:13 7,680 --a------ C:\wicnin.exe 2009-03-27 17:12 . 2009-03-27 17:12 40,448 --a------ c:\windows\Rreret.dll 2009-03-27 17:12 . 2009-03-27 17:12 40,448 --a------ C:\dmsiacq.exe 2009-03-27 17:12 . 2009-03-27 17:12 9,216 --a------ c:\windows\instsp2.exe 2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\program files\iTunes 2009-03-19 07:54 . 2009-03-19 07:54 <DIR> d-------- c:\program files\iPod 2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} 2009-03-19 07:51 . 2009-03-19 07:51 <DIR> d-------- c:\program files\QuickTime 2009-03-19 07:49 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-30 14:26 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition 2009-03-19 11:54 --------- d-----w c:\program files\Common Files\Apple 2009-03-19 11:53 --------- d-----w c:\program files\Bonjour 2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-02-27 11:34 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-26 20:27 --------- d-----w c:\documents and settings\Bob Swanson\Application Data\U3 2009-02-12 14:04 --------- d-----w c:\program files\Quicken 2009-02-11 02:47 --------- d-----w c:\program files\Google 2009-01-29 01:01 --------- d-----w c:\documents and settings\Linda Swanson\Application Data\Move Networks 2008-12-12 00:58 35,624 ----a-w c:\documents and settings\Emily Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-11-04 15:16 35,624 ----a-w c:\documents and settings\Linda Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-11-04 14:12 35,624 ----a-w c:\documents and settings\Bob Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-10-09 20:12 31,736 ----a-w c:\documents and settings\Michael Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-05-11 23:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT 2007-10-18 20:23 1,762,304 ----a-w c:\documents and settings\Michael Swanson\ClearN7_1.exe 2007-10-18 19:27 1,394,568 ----a-w c:\documents and settings\Michael Swanson\install_easyshare.exe 2007-05-31 01:01 190,064 ----a-w c:\documents and settings\Michael Swanson\Morpheus.exe 2006-01-06 19:42 127,968 ----a-w c:\program files\Re 2008-09-10 20:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat . ------- Sigcheck ------- 2004-08-04 06:00 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe 2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe 2009-03-27 17:15 104960 2e1acb5bdfb74aa2fd04546802b76b5f c:\windows\system32\userinit.exe 2009-03-27 17:15 104960 2e1acb5bdfb74aa2fd04546802b76b5f c:\windows\system32\dllcache\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 185896] "Error Nuker"="c:\program files\Error Nuker\bin\ErrorNuker.exe" [2005-01-17 3002368] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160] "HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952] "MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-19 148888] "Fkojurovi"="c:\windows\Rreret.dll" [2009-03-27 40448] "Jtezewu"="c:\windows\aqovimov.dll" [2009-03-27 156160] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-03-20 118784] ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Engine\ymetray.exe [2008-02-05 54512] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe"= "c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\vssvc.exe"= "c:\\WINDOWS\\system32\\dllhost.exe"= "c:\\WINDOWS\\system32\\hphmon04.exe"= "c:\\WINDOWS\\system32\\imapi.exe"= "c:\\WINDOWS\\stsystra.exe"= "c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"= R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S1 7b54a0e9;7b54a0e9;c:\windows\system32\drivers\7b54a0e9.sys --> c:\windows\system32\drivers\7b54a0e9.sys [?] S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104] S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824] S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bb3ff6-ab43-11dd-b6ec-00123f6f9cbf}] \shell\autorun\command - g:\windows\IronKey.exe . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-26 c:\windows\Tasks\HP Usg Daily.job - c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50] 2009-03-25 c:\windows\Tasks\Java Update.job - c:\program files\Java\jre1.6.0_05\bin\jucheck.exe [2008-02-22 04:25] 2008-10-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2009-03-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - BHO-{c2ba40a2-74f3-42bd-f434-2604812c8954} - c:\windows\system32\nhser43uhjnefr.dll SharedTaskScheduler-{C2BA40A2-74F3-42BD-F434-2604812C8954} - c:\windows\system32\nhser43uhjnefr.dll Notify-ckpNotify - (no file) . ------- Supplementary Scan ------- . uStart Page = hxxp://www.refdesk.com/ uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll FF - ProfilePath - c:\documents and settings\Bob Swanson\Application Data\Mozilla\Firefox\Profiles\bdw5udla.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/ FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . *********************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-30 10:53:35 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\McAfee\MBK\MBackMonitor.exe c:\progra~1\McAfee\MSC\mcmscsvc.exe c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe c:\program files\McAfee\MPF\MpfSrv.exe c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\program files\Windows Media Player\wmpnetwk.exe c:\progra~1\McAfee.com\Agent\mcagent.exe c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\progra~1\McAfee\MSC\mcuimgr.exe c:\windows\system32\vssvc.exe c:\windows\system32\dllhost.exe c:\windows\system32\dllhost.exe c:\windows\system32\msdtc.exe c:\windows\system32\wscntfy.exe . ************************************************************************* . Completion time: 2009-03-30 10:59:22 - machine was rebooted [Bob Swanson] ComboFix-quarantined-files.txt 2009-03-30 14:58:37 Pre-Run: 62,647,144,448 bytes free Post-Run: 68,086,312,960 bytes free 257 --- E O F --- 2009-03-14 04:35:41 Let me know the next steps. Thanks. Bob

03-30-2009, 04:31 PM	#8 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back I forgot to mention a couple of other things. 1) The recovery console did not install when I ran this initially. I was able to install it after ComboFix was completed. 2) ComboFix displayed a message that McAfee was still running and that might affect the outcome of the results. I don't know why this was displayed as I had disabled all the different configuration choices (firewall, virus, scripting, email, IM, etc.). 3) Should I run ComboFix one more time? Things appear to be returning back to normal, except my email is not displaying all of the graphics on an html email. Again, thank you so much for your assistance. Bob

03-30-2009, 04:45 PM	#9 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back When you installed the recovery console did you do it through ComboFix and run a scan right afterwards? If so I would like to see the most recent log located here:C:\ComboFix.txt If you did not run ComboFix right afterwards please do so now and post back with the log. __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum

03-30-2009, 08:27 PM	#11 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back Hello again Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop. Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications." Click the "Download" button to the right. Select the Windows platform from the dropdown menu. Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh. Click on the link to download Windows Offline Installation and save the file to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. ------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the codebox below into it: Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/360536-vundo-grb-trojan-keeps-coming-back.html#post2053127 Collect:: c:\windows\aqovimov.dll C:\vaybq.exe C:\liymwuq.exe C:\ijmaxk.exe C:\ajtbyh.exe C:\wicnin.exe C:\dmsiacq.exe c:\windows\instsp2.exe Suspect:: c:\windows\system32\drivers\7b54a0e9.sys RegNull:: [HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook] Save this as "CFScript" Refering to the picture above, drag CFScript into ComboFix.exe Then post the resultant log Note: Do not mouseclick combofix's window while it's running. That may cause it to stall Note* When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. -------------------------- Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner Note To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan. Click Accept, when prompted to download and install the program files and database of malware definitions. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save Report As... button. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply. Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%. -------------------------- Please provide the following logs with your next post: C:\ComboFix.txt Kaspersky Report Also include an update on how your system is running __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum

03-31-2009, 03:21 PM	#12 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back Here are the logs. As to how the system is running: it is a lot better!! I've noticed graphics are missing on emails and on McAfee's security control center. Any help with that would be appreciated. Thanks. Bob ComboFix 09-03-30.04 - Bob Swanson 2009-03-31 14:21:32.3 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.3016 [GMT -4:00] Running from: c:\documents and settings\Bob Swanson\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Bob Swanson\Desktop\CFScript.txt AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall disabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\dmsiacq.exe C:\liymwuq.exe c:\windows\aqovimov.dll c:\windows\instsp2.exe . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 ))))))))))))))))))))))))))))))) . 2009-03-31 14:05 . 2009-03-31 14:04 73,728 --a------ c:\windows\system32\javacpl.cpl 2009-03-31 13:15 . 2009-03-31 13:18 <DIR> d-------- c:\documents and settings\Bob Swanson\.SunDownloadManager 2009-03-29 20:02 . 2009-03-29 20:02 <DIR> d-------- C:\Surf 2009-03-27 17:15 . 2004-08-04 06:00 4,224 --a------ c:\windows\system32\drivers\OLD142.tmp 2009-03-27 17:14 . 2009-03-27 17:17 2 --a------ C:\1155482156 2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\program files\iTunes 2009-03-19 07:54 . 2009-03-19 07:54 <DIR> d-------- c:\program files\iPod 2009-03-19 07:54 . 2009-03-19 07:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3} 2009-03-19 07:51 . 2009-03-19 07:51 <DIR> d-------- c:\program files\QuickTime 2009-03-19 07:49 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll 2009-03-12 06:39 . 2009-03-12 06:39 <DIR> d-------- c:\documents and settings\LocalService\Application Data\McAfee . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-31 18:04 410,984 ----a-w c:\windows\system32\deploytk.dll 2009-03-31 17:53 --------- d-----w c:\program files\CyberPower PowerPanel Personal Edition 2009-03-31 17:50 --------- d-----w c:\program files\Rhapsody 2009-03-31 17:49 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo 2009-03-31 17:48 --------- d-----w c:\program files\Yahoo! 2009-03-31 17:45 --------- d-----w c:\program files\Java 2009-03-19 11:54 --------- d-----w c:\program files\Common Files\Apple 2009-03-19 11:53 --------- d-----w c:\program files\Bonjour 2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-02-27 11:34 --------- d-----w c:\program files\Microsoft Silverlight 2009-02-26 20:27 --------- d-----w c:\documents and settings\Bob Swanson\Application Data\U3 2009-02-12 14:04 --------- d-----w c:\program files\Quicken 2009-02-11 02:47 --------- d-----w c:\program files\Google 2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys 2009-01-29 01:01 --------- d-----w c:\documents and settings\Linda Swanson\Application Data\Move Networks 2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll 2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe 2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe 2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe 2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll 2008-12-12 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-12-12 15:11 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-12-12 00:58 35,624 ----a-w c:\documents and settings\Emily Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys 2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll 2008-12-05 06:54 144,896 ------w c:\windows\system32\dllcache\schannel.dll 2008-11-04 15:16 35,624 ----a-w c:\documents and settings\Linda Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-11-04 14:12 35,624 ----a-w c:\documents and settings\Bob Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-10-09 20:12 31,736 ----a-w c:\documents and settings\Michael Swanson\Application Data\GDIPFONTCACHEV1.DAT 2008-05-11 23:00 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT 2007-10-18 20:23 1,762,304 ----a-w c:\documents and settings\Michael Swanson\ClearN7_1.exe 2007-10-18 19:27 1,394,568 ----a-w c:\documents and settings\Michael Swanson\install_easyshare.exe 2007-05-31 01:01 190,064 ----a-w c:\documents and settings\Michael Swanson\Morpheus.exe 2006-01-06 19:42 127,968 ----a-w c:\program files\Re 2008-09-10 20:11 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat . ((((((((((((((((((((((((((((( SnapShot@2009-03-30_10.57.20.20 ))))))))))))))))))))))))))))))))))))))))) . - 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-03-31 15:01:29 32,768 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat - 2009-03-30 10:46:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-03-31 15:01:29 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-03-31 15:01:29 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\dllcache\userinit.exe + 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\dllcache\userinit.exe - 2009-03-19 12:23:58 144,792 ----a-w c:\windows\system32\java.exe + 2009-03-31 18:04:58 144,792 ----a-w c:\windows\system32\java.exe - 2009-03-19 12:23:59 144,792 ----a-w c:\windows\system32\javaw.exe + 2009-03-31 18:04:58 144,792 ----a-w c:\windows\system32\javaw.exe - 2009-03-19 12:23:59 148,888 ----a-w c:\windows\system32\javaws.exe + 2009-03-31 18:04:58 148,888 ----a-w c:\windows\system32\javaws.exe + 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe - 2009-03-27 21:15:37 104,960 ----a-w c:\windows\system32\userinit.exe + 2004-08-04 10:00:00 24,576 ----a-w c:\windows\system32\userinit.exe + 2009-03-31 17:53:45 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ac.dat + 2009-03-31 18:05:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_c5c.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green] @="{95A27763-F62A-4114-9072-E81D87DE3B68}" [HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}] 2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial] @="{E300CD91-100F-4E67-9AF3-1384A6124015}" [HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}] 2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow] @="{5E529433-B50E-4bef-A63B-16A6B71B071A}" [HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}] 2009-01-09 16:13 583312 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2007-12-07 315392] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264] "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968] "IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 188416] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-15 122933] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-28 185896] "Error Nuker"="c:\program files\Error Nuker\bin\ErrorNuker.exe" [2005-01-17 3002368] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992] "HPHmon04"="c:\windows\system32\hphmon04.exe" [2002-11-22 348160] "HPHUPD04"="c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [2002-11-22 49152] "Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 4838952] "MBkLogOnHook"="c:\program files\McAfee\MBK\LogOnHook.exe" [2007-01-08 20480] "Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-01-09 669840] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-31 148888] "SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 c:\windows\stsystra.exe] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-03-20 118784] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Error Nuker\\bin\\ErrorNuker.exe"= "c:\\Program Files\\Microsoft Office\\Office10\\OUTLOOK.EXE"= "c:\\WINDOWS\\system32\\vssvc.exe"= "c:\\WINDOWS\\system32\\dllhost.exe"= "c:\\WINDOWS\\system32\\hphmon04.exe"= "c:\\WINDOWS\\system32\\imapi.exe"= "c:\\WINDOWS\\stsystra.exe"= "c:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe"= R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088] S1 7b54a0e9;7b54a0e9;c:\windows\system32\drivers\7b54a0e9.sys --> c:\windows\system32\drivers\7b54a0e9.sys [?] S2 gupdate1c9878ec79c3ec2;Google Update Service (gupdate1c9878ec79c3ec2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-05 133104] S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\w300mgmt.sys [2005-12-28 87824] S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;c:\windows\system32\drivers\w300obex.sys [2005-12-28 85696] --- Other Services/Drivers In Memory --- NewlyCreated - JAVAQUICKSTARTERSERVICE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9bb3ff6-ab43-11dd-b6ec-00123f6f9cbf}] \shell\autorun\command - g:\windows\IronKey.exe . Contents of the 'Scheduled Tasks' folder 2009-03-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-03-26 c:\windows\Tasks\HP Usg Daily.job - c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 15:50] 2009-03-25 c:\windows\Tasks\Java Update.job - c:\program files\Java\jre1.6.0_05\bin\jucheck.exe [] 2008-10-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2009-03-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Jtezewu - c:\windows\aqovimov.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.refdesk.com/ uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com Trusted Zone: turbotax.com DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll FF - ProfilePath - c:\documents and settings\Bob Swanson\Application Data\Mozilla\Firefox\Profiles\bdw5udla.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.refdesk.com/ FF - plugin: c:\program files\eMusic Download Manager\plugin\npemusic.dll FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll . *********************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-31 14:24:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run McAfee Backup = c:\program files\McAfee\MBK\McAfeeDataBackup.exe????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1109410338-2750378667-2462934570-1006\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . Completion time: 2009-03-31 14:26:56 ComboFix-quarantined-files.txt 2009-03-31 18:26:34 ComboFix2.txt 2009-03-30 23:59:30 ComboFix3.txt 2009-03-30 14:59:24 Pre-Run: 68,994,859,008 bytes free Post-Run: 69,082,222,592 bytes free 229 --- E O F --- 2009-03-14 04:35:41 _____________________ -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Tuesday, March 31, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Tuesday, March 31, 2009 20:43:33 Records in database: 1990208 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 150445 Threat name: 6 Infected objects: 9 Suspicious objects: 8 Duration of the scan: 02:26:03 File name / Threat name / Threats count C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook.pst Suspicious: Exploit.HTML.Iframe.FileDownload 4 C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook.pst Infected: Email-Worm.Win32.Klez.h 2 C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook2.pst Suspicious: Exploit.HTML.Iframe.FileDownload 4 C:\Documents and Settings\All Users\Documents\Addresses\email addresses\Outlook2.pst Infected: Email-Worm.Win32.Klez.h 2 C:\Documents and Settings\Linda Swanson\Application Data\Sun\Java\Deployment\cache\6.0\36\710cee4-2ad372f8 Infected: Trojan-Downloader.Java.OpenConnection.ar 1 C:\Qoobox\Quarantine\C\DOCUME~1\BOBSWA~1\LOCALS~1\Temp\mousehook.dll.vir Infected: Trojan-Downloader.Win32.Agent.bphc 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\nhser43uhjnefr.dll.vir Infected: Trojan-Downloader.Win32.Small.ajst 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\ntdll64.exe.vir Infected: Trojan-Dropper.Win32.Agent.akxv 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Dropper.Win32.Agent.akxv 1 The selected area was scanned.

03-31-2009, 04:22 PM	#13 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back Please submit the following file to Jotti File Scan c:\windows\system32\drivers\7b54a0e9.sys At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread. If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum

04-01-2009, 05:30 AM	#14 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back Both sites gave a message that the file was not found. I looked in the drivers folder and could not find it either.

04-01-2009, 04:12 PM	#15 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back One of the scanners we ran was not sure if the file was still there so we were just making sure. --------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 3. Open notepad and copy/paste the text in the codebox below into it: Code: Driver:: 7b54a0e9 Save this as "CFScript" Refering to the picture above, drag CFScript into ComboFix.exe Then post the resultant log Note: Do not mouseclick combofix's window while it's running. That may cause it to stall ------------------------- In Outlook empty your deleted items folder and your junk mail folder. -------------------------- Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) On the General tab, under Temporary Internet Files, click the Settings button. Next, click on the Delete Files button There are two options in the window to clear the cache - Leave BOTH Checked Applications and Applets Trace and Log Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Temporary Files Window Click OK to leave the Java Control Panel. ----------------------------- Please download Malwarebytes' Anti-Malware from Here or Here Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. -------------------------- Please provide the following logs with your next post: C:\ComboFix.txt Malwarebytes' Anti-Malware log __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum

04-02-2009, 04:55 AM	#18 (permalink)
rswanson25 Registered User Join Date: Mar 2009 Posts: 25 OS: XP Home SP 3	Re: Vundo!grb trojan keeps coming back Yes, I tried turning on auto updates both before and after Malwarebytes. At startup, I get a message that it is turned off and directed to click the balloon on the quick-start area of the task bar. That takes me to a Security Center popup where I tried to turn it on, but I get a message that the Security Center is unable to turn the service on. When I try Start-Run-services.msc and double click automatic updates, and change "disable" to "automatic" or "manual", when I click on apply I get a message that says "access is denied."

04-02-2009, 06:28 AM	#19 (permalink)
Clark76 Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Jun 2006 Location: Cleveland, Ohio Posts: 1,693 OS: XP Pro, Vista, Ubuntu 8.10	Re: Vundo!grb trojan keeps coming back Let's try dial-a-fix http://wiki.djlizard.net/Dial-a-fix Download/save the program and extract to it's own folder. In the WU/WUAU area click the button Flush SoftwareDistribution (Click Yes) Tick all boxes in the WU/WUAU and Registration center area then click the Go button. There is also a Policies area that will show any registry restrictions. Check on that, and fix any found. __________________ Proud Member of ASAP Proud Member of UNITE If you feel we've helped you, Please Donate to the Forum