I cant load safe mode either, it keeps crasing in safe mode as well, here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:54 PM, on 12/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1226895239484
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5351 bytes

PLEASE HELP!

Recommended Answers

All 49 Replies

after reading other threads here, im now running Malwarebytes' Anti-Malware... did a quick scan first, found vundo, didnt fix it yet, started full scan to see what else is, if anything is going on... will post results here of hijack and mbam after just in case so anyone can tell me if i missed somehting :)

Hi zbizzy, will be waiting for your logs. Be sure to allow MBA-M to remove items found.
Judy

ok, so mbam run on my system like 15 times, mcaffee, etc all find vundo, remove it, and it comes right back... dunno what to do except wipe my entire hard drive, which i do not want to do right now

someone please help! how do i get rid of this virus????

Run MBA-M and then we can continue, it's one step at a time.

Thanks,

Cohen

We MUST see the logs. Please run MBA-M again and post the log. We cannot help without the logs.

sorry, i meant to paste it in last time and forgot to... here it is....

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2

12/15/2008 5:49:51 PM
mbam-log-2008-12-15 (17-49-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 289396
Time elapsed: 7 hour(s), 36 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\vimekege.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e6bfd404-2727-414f-90af-c9417a8865d0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e6bfd404-2727-414f-90af-c9417a8865d0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4f23fbd2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yisogepogo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c10c84e (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\vimekege.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\vimekege.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\vimekege.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\besehevi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\giweruru.dll (Trojan.Agent) -> Delete on reboot.

We need to see an HJT log done AFTER the MBA-M program was run.

Alright, your MBA-M is not up to date, can you pls update it, under the update tab to the latest database version.

Then, redo the scan, removing everything it finds and rebooting and then posting the log. Once that is done, run HJT and post both the MBA-M and the HJT log.

Thanks,

Cohen

that one was the one i let run while I was at work.... here is the previous one from the night before:

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 2

12/15/2008 7:45:52 AM
mbam-log-2008-12-15 (07-45-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 289096
Time elapsed: 6 hour(s), 35 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\huvobogo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gakuyipe.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yisogepogo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm4f23fbd2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\gakuyipe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\gakuyipe.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\huvobogo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ogobovuh.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gakuyipe.dll (Trojan.Vundo.H) -> Delete on reboot.


as you can see, nothing has helped so far, it just comes back.

vundofix.exe will not remove it, the instructions on both symantec and mcafee sites do not work. ive tried every single way possible that i can find on the net to remove this virus, in safe mode, regular mode, with processes suspended using processexplorer, etc...

you name it, Ive done it, and it hasnt worked yet.

Alright, your MBA-M is not up to date, can you pls update it, under the update tab to the latest database version.

Then, redo the scan, removing everything it finds and rebooting and then posting the log. Once that is done, run HJT and post both the MBA-M and the HJT log.

Thanks,

Cohen

yes it is...

edit: ok, the program itself when i checked for update said there were none to be downloaded, but i found a db update to put it to version 1498 instead of 1497... regardless, the 1497 version of the database is the one i got from malwarebytes.org yesterday, and I would like to see if this is fixable without having to run the program again for the next 7 to 8 hours (as you can see how long it takes the scan)...

here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:20 PM, on 12/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {e6bfd404-2727-414f-90af-c9417a8865d0} - C:\WINDOWS\system32\lekefoji.dll (file missing)
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [yisogepogo] Rundll32.exe "C:\WINDOWS\system32\fuzedanu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [yisogepogo] Rundll32.exe "C:\WINDOWS\system32\fuzedanu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yisogepogo] Rundll32.exe "C:\WINDOWS\system32\fuzedanu.dll",s (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1226895239484
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\goyakazu.dll C:\WINDOWS\system32\fudiyeru.dll c:\windows\system32\besehevi.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6694 bytes

yes it is.

No, it is out of date. MBA-M updates sometimes more than once a day. Your database version is 1497. Newest database version is 1504. You must run the Update prior to each and every scan.
Are you shutting down and rebooting after running MBA-M?
Note what it says in the log on many of the items found....-> Delete on reboot.

meaning that file cannot be removed until the computer is rebooted because it must delete it BEFORE it begins to run.
Please update your MBA-M do another scan, REBOOT and then run a new HJT scan and post the log.

ok, see my edit i made after posting the other post... the version with db 1497 was the one I got yesterday, and hit update yesterday, and the program said it was up to date (around 4pm eastern time is when i got it and installed it) ... it takes almost 8 hours for the program to run the scan, if you can see from my logs i posted... so in the 24 hours or so since i first got the program, and updated it, it has updated the database 7 more times? so essentially, by the time it is done running and I can get on the computer to post it, the database will have updated again, and instead of trying to help, is someone going to tell me I need to update it again since by the time I can post the log, it will probably have been updated?

meaning that file cannot be removed until the computer is rebooted because it must delete it BEFORE it begins to run.
Please update your MBA-M do another scan, REBOOT and then run a new HJT scan and post the log.

I know what delete on reboot means, kthanx.

so in the 24 hours or so since i first got the program, and updated it, it has updated the database 7 more times?

Essentially yes, that doesn't necessarily mean all the updates were offered one at a time.
I find it very unusual that the scan would take 8 hours, there must be something slowing it down. How large is your hard drive?
A full scan for me takes about 1 hour. I have seen them take a couple but honestly not 8 hours. Can you tell me, is it actually scanning all the time or does it seem to freeze? They are currently examining a possible issue with freezes during scans which might be cause by Zone Alarm firewall, they are not certain at this point but it is a possibility. The scan should never take 8 hours.
I wasn't meaning to be critical when asking if you had rebooted, it is just that many people don't understand they must reboot if the log says -> Delete on reboot. They will run the program and then immediately run HijackThis without rebooting. We have to ask to be absolutely certain.

well, right after the post last night, where i mentioned it taking 8 hours, i started it again, and it is still running, only halfway thru my drive, 10 hours later...

now, instead of patronizing me like you both have been so far, why dont you use the information that is up there and try to actually help me?


when i ran the program, it was up to date. when it was finished running, it was not. I am not going to just sit here in an endless cycle of "you need to update" every time i post a log, because that seems that is all you guys want to say.

so, use what I gave you already and see what you can do, and when I get home from work tonight, I will post the log of the scan that has been running for the past 10 hours, so you can then tell me "your mbam is out of date, please update it and scan again", since most likely it will take another 10 or so hours from the looks of it. Each time I update mbam, it takes longer and longer to scan my drive.

btw --- I turned zonealarm off last night before running the program - so that is definitely not an issue, I have the system disconnected from the net as well, and posting from my laptop...

also, my HD is 1TB in size

just checkin from work to see if any replies... nope lol... also wanted to mention, after the first run of mba-m it stopped the explorer.exe crashing, however, now whenever firefox is open, it randomly tries to open windows...

Download Combofix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

*Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.[/B]

Mcafee is impossible to disable or shut down. no matter what i try, even disabling it all in services.msc either makes it restart or I get an access denied - and yes, I am logged in as administrator...

mcafee blocks combofix from operating, and when the pop up asking if i would liketo allow it comes up, i click yes, and it locks up my system and combofix obviously will not run...


any other sugestions?

Manually shut it down, end the process in task manager. It is possible to shut it down.

So try ending the process in task manager.

Cohen

nope, tried that. it restarts itself. NEXT!

In going through your logs to see what files were running and which could be stopped using Task Manager I discovered that you are running TWO firewalls, at least, three if the Windows firewall is enabled.
This is an absolute No-No. ONE firewall on a computer is the rule.
This may very well be one reason your MBA-M scans are taking so long...multiple firewalls blocking it's action and causing it to stall, especially Zone Alarm. Get rid of Zone Alarm, uninstall it since the McAfee Firewall is part of your security suite from them.
These files were running on the system in the back ground during your last HJT scan, End them and try the combofix again. One of them by the way was MBA-M and it should never be running in the background unless it is actually scanning, if it is scanning then many of those programs showing should not have been running anyway.
Here are those to end with task manager:
mcmscsvc.exe
mcnasvc.exe
mcproxy.exe
McShield.exe
mcagent.exe
mcsysmon.exe
MPFSrv.exe
zlclient.exe
vsmon.exe
mbam.exe

that didnt work either, unfortunately, however, using services.msc i was finally able to get most of mcafee to shut down and then rebooted.... combofix actually ran while i was in the other room on the laptop trying to figure out how to get mcafee to shut down

... here is the log:


ComboFix 08-12-15.08 - Compaq_Owner 2008-12-16 16:59:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1470.1031 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\install.exe
c:\windows\system32\fudiyeru.dll
c:\windows\system32\goyakazu.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\sozerilu.dll
c:\windows\system32\ururewig.ini
c:\windows\Tasks\svoglprh.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-11-16 to 2008-12-16 )))))))))))))))))))))))))))))))
.

2008-12-15 22:18 . 2008-12-15 22:18 <DIR> d-------- c:\program files\CCleaner
2008-12-13 15:42 . 2008-12-13 15:42 552 --a------ c:\windows\system32\d3d8caps.dat
2008-12-13 12:39 . 2008-12-13 12:39 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes
2008-12-13 12:38 . 2008-12-13 12:39 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-13 12:38 . 2008-12-13 12:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-13 12:38 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-13 12:38 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-13 12:11 . 2005-11-12 19:45 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-13 12:11 . 2005-11-12 20:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2008-12-13 12:11 . 2005-11-12 19:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Intuit
2008-12-13 12:11 . 2008-12-13 12:11 <DIR> d-------- c:\documents and settings\Administrator
2008-12-13 12:00 . 2008-12-13 12:00 <DIR> d-------- C:\VundoFix Backups
2008-12-13 11:32 . 2008-12-13 11:32 <DIR> d-------- c:\program files\Trend Micro
2008-12-09 01:01 . 2008-12-09 01:01 <DIR> d-------- c:\program files\Thumbs7
2008-12-09 01:01 . 2008-12-09 01:01 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\ThumbsPlus
2008-12-09 01:01 . 2008-12-09 01:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\ThumbsPlus
2008-12-04 19:13 . 2008-12-07 17:47 <DIR> d-------- C:\TUNES TO SAMPLE
2008-11-28 13:46 . 2008-11-28 13:46 <DIR> d-------- c:\windows\system32\QuickTime
2008-11-28 13:46 . 2008-07-10 14:56 107,864 --a------ c:\windows\system32\tsccvid.dll
2008-11-28 13:44 . 2008-11-28 13:44 <DIR> d-------- c:\program files\TechSmith
2008-11-28 13:44 . 2008-11-28 13:44 <DIR> d-------- c:\program files\Common Files\TechSmith Shared
2008-11-26 21:47 . 2008-12-07 10:07 <DIR> d-------- C:\New Folder (2)
2008-11-24 08:43 . 2008-11-24 20:58 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-24 08:43 . 2008-12-15 22:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-23 20:22 . 2008-12-04 22:27 <DIR> d-------- C:\samples
2008-11-16 22:54 . 2008-11-16 22:54 <DIR> d-------- c:\windows\Logs
2008-11-16 22:43 . 2008-11-16 22:43 <DIR> d-------- c:\documents and settings\Compaq_Owner\Application Data\WinBatch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-16 22:05 553,376 --sha-w c:\windows\system32\drivers\fidbox.idx
2008-12-16 22:05 48,291,872 --sha-w c:\windows\system32\drivers\fidbox.dat
2008-12-16 03:32 --------- d-----w c:\program files\Mp3 Song Plays Increaser
2008-12-16 03:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-16 03:31 --------- d-----w c:\program files\Common Files\Adobe
2008-12-10 13:16 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\FileZilla
2008-12-07 18:29 --------- d-----w c:\program files\LIVEUPDATE
2008-12-07 16:45 --------- d-----w c:\program files\Mixed In Key 4
2008-12-06 02:39 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\U3
2008-11-28 19:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-27 02:31 --------- d-----w c:\program files\Open Adder
2008-11-22 23:04 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Alien Skin
2008-11-15 19:57 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Ableton
2008-11-15 19:55 --------- d-----w c:\program files\Ableton
2008-11-10 00:49 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Sony
2008-11-09 18:22 --------- d-----w c:\documents and settings\Compaq_Owner\Application Data\Viewpoint
2008-11-04 05:13 --------- d-----w c:\program files\Vstinstruments
2008-11-04 04:31 --------- d-----w c:\program files\PcBoost
2008-11-04 04:24 --------- d-----w c:\program files\Apple Software Update
2008-11-04 04:22 --------- d-----w c:\program files\Vstplugins
2008-11-04 02:54 --------- d-----w c:\program files\Sony
2008-11-04 02:53 --------- d-----w c:\program files\Sony Setup
2008-10-29 00:24 --------- d-----w c:\program files\iTunes
2008-10-29 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-10-29 00:23 --------- d-----w c:\program files\iPod
2008-10-29 00:19 --------- d-----w c:\program files\Bonjour
2008-10-29 00:16 --------- d-----w c:\program files\QuickTime
2008-10-29 00:13 --------- d-----w c:\program files\Common Files\Apple
2008-03-21 21:00 7,294 ----a-w c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 919016]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"M-Audio Taskbar Icon"="c:\windows\System32\M-AudioTaskBarIcon.exe" [2007-11-13 204288]
"Openwares LiveUpdate"="c:\program files\LiveUpdate\LiveUpdate.exe" [2003-12-13 61440]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2005-11-12 27136]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-02-01 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi5"= usbnz1x1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^M-Audio Ozone Control Panel Launcher.lnk]
backup=c:\windows\pss\M-Audio Ozone Control Panel Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WG111v2 Smart Wizard Wireless Setting.lnk]
backup=c:\windows\pss\WG111v2 Smart Wizard Wireless Setting.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a--c--- 2006-09-25 19:52 50736 c:\program files\Common Files\AOL\Launch\aollaunch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
--a------ 2005-07-12 00:17 50776 c:\program files\America Online 9.0\aol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a--c--- 2004-10-18 16:42 79448 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
-----c--- 2006-10-23 07:50 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BarbieGirlsTray]
--a--c--- 2007-03-14 21:59 24576 c:\program files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cacheman]
--a------ 2003-07-31 13:13 1290752 c:\progra~1\Cacheman\Cacheman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a--c--- 2006-09-25 19:52 50736 c:\program files\Common Files\AOL\1138673530\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
--a--c--- 2005-09-21 12:41 1605740 c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a--c--- 2006-05-16 17:58 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\M-Audio Taskbar Icon]
--a------ 2007-11-13 13:24 204288 c:\windows\system32\M-AudioTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 18:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a--c--- 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-11-12 19:29 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-12-08 13:55 3096576 c:\program files\Yahoo!\Messenger\YPager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"wuauserv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"TrkWks"=2 (0x2)
"Schedule"=2 (0x2)
"OzoneInstallerService"=2 (0x2)
"ose"=3 (0x3)
"MSDTC"=3 (0x3)
"mnmsrvc"=3 (0x3)
"iPodService"=3 (0x3)
"gusvc"=2 (0x2)
"FastTrackInstallerService"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"AOL ACS"=2 (0x2)
"usnjsvc"=3 (0x3)
"iPod Service"=3 (0x3)
"Fax"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"CachemanXPService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138673530\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138673530\\ee\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\DRIVERS\EAPPkt.sys [2006-01-30 66048]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);"c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [2007-02-10 29178224]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-10-14 24652]
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);c:\windows\system32\DRIVERS\mausbft.sys [2008-03-18 132096]
R3 USBNZ1X1;M-Audio Ozone Midi;c:\windows\system32\drivers\usbnz1x1.sys [2008-06-21 22272]
S3 camvid20;Philips ToUcam Camera; Video;c:\windows\system32\DRIVERS\camdrv21.sys [2007-05-19 223232]
S3 ma763008;M-Audio Ozone;c:\windows\system32\drivers\MA763008.sys [2008-06-21 63872]
S3 MA763010;M-Audio Fast Track;c:\windows\system32\drivers\MA763010.sys []
S3 MADFU008;MADFU008;c:\windows\system32\DRIVERS\MADFU008.sys [2008-06-21 14336]
S4 CachemanXPService;CachemanXP;c:\progra~1\CACHEM~1\CachemanXP.exe [2008-09-25 243200]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b94a43d0-9a3e-11dd-ac46-00038a000015}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{be9be017-f450-11dc-befb-00038a000015}]
\Shell\AutoRun\command - J:\Info.exe folder.htt 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2007-10-05 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-12-15 c:\windows\Tasks\User_Feed_Synchronization-{871B22D8-E090-4048-83E1-B9E3BDABB89B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{e6bfd404-2727-414f-90af-c9417a8865d0} - c:\windows\system32\lekefoji.dll
HKCU-Run-Aim6 - (no file)
HKLM-Run-yisogepogo - c:\windows\system32\fuzedanu.dll
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\5cuhwt8g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - BBC News
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-16 17:08:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\McAfee\VirusScan\Mcshield.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2008-12-16 17:18:20 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2008-12-16 22:18:14

Pre-Run: 31,939,837,952 bytes free
Post-Run: 31,591,374,848 bytes free

332 --- E O F --- 2008-12-16 22:17:31


i noticed it deleted an autorun on my d drive, which is my recovery partition, does that mean my windows recovery partition will no longer work now?

also, what is the childhe.com in the possible infected sites thing? thats a site i never heard of, but it seems when i search it, it is listed as a site infected with the very trojan i have... is it possibly the site the pop ups try to connect to? i always close the window when they pop up before they can connect, so ive never actually let one go long enuff to load...

The recovery partion, will still work.

OK, good,

Now pls update ad run MBA-M again... and them remove everything it finds, reboot it, post the MBA-M log as well as a fresh HJT log.

Thanks,

Cohen

do i need to run a full scan, or can i run the quick scan? full scan takes HOURS

do i need to run a full scan, or can i run the quick scan? full scan takes HOURS

A quick scan will do.

And a full scan shouldn't take hours, should take maximum 2 hours or so.....

Anyway, quick scan will be fine.

Thanks,

Cohen


And a full scan shouldn't take hours, should take maximum 2 hours or so.....

that what i keep getting told, unfortunately it does as u can see from the other logs ive posted... it is running now in the other room on quick scan, so far so good, nothing detected.... yet :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.