Solved win32/AMalum virus start up issues

broni · 2009/07/09

Combofix log is incomplete.
Please, post complete log.

trub · 2009/07/09

ComboFix 09-07-09.06 - Steven 07/09/2009 21:00.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3062.2525 [GMT -4:00]
Running from: c:\documents and settings\Steven\Desktop\ComboFix.exe
AV: CA Anti-Virus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}
FW: CA Personal Firewall *disabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\COUPON~1.OCX
c:\windows\Installer\160ee780.msi
c:\windows\Installer\386e3ef6.msp
c:\windows\Installer\386e3f0a.msp
c:\windows\Installer\386e3f1e.msp
c:\windows\Installer\7df174.msi
c:\windows\Installer\7df175.msp
c:\windows\Installer\7df176.msp
c:\windows\Installer\7df177.msp
c:\windows\Installer\7df178.msp
c:\windows\Installer\7df179.msp
c:\windows\Installer\7df17a.msp
c:\windows\Installer\7df17b.msp
c:\windows\Installer\7df17c.msp
c:\windows\Installer\7df17d.msp
c:\windows\Installer\8cad84.msi
c:\windows\kb913800.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\bszip.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 23:43 . 2009-07-09 23:43 -------- d--h--w- c:\windows\PIF
2009-07-09 23:43 . 2009-07-09 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-09 23:43 . 2009-07-09 23:43 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-09 21:58 . 2008-04-14 09:42 28672 ------w- c:\windows\system32\verclsid.exe
2009-07-09 21:58 . 2008-04-14 09:41 81920 ------w- c:\windows\system32\ieencode.dll
2009-07-09 19:30 . 2009-07-09 19:30 -------- d-----w- c:\program files\Trend Micro
2009-07-09 15:08 . 2009-07-09 15:08 -------- d-----w- c:\docume~1\Steven\APPLIC~1\Malwarebytes
2009-07-09 15:07 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-09 15:07 . 2009-07-09 15:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-09 15:07 . 2009-07-09 23:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-09 15:07 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 11:40 . 2009-07-09 11:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-07-09 11:26 . 2009-07-09 23:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-09 11:26 . 2009-07-09 11:26 -------- d-----w- c:\docume~1\Steven\APPLIC~1\SUPERAntiSpyware.com
2009-07-09 04:48 . 2009-07-09 23:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-09 04:48 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-09 03:08 . 2009-07-09 04:52 -------- d-----w- C:\4a2cc3a0363ab8aaef9e1b
2009-07-09 02:49 . 2009-07-09 02:50 -------- d-----w- C:\b0f07cf43475e4bdd3
2009-07-09 00:47 . 2009-07-09 00:48 -------- d-----w- C:\e1424e6bc4654575faf1
2009-07-09 00:47 . 2009-07-09 00:47 -------- d-----w- C:\057553ec7af477a98eb2cc30b11c
2009-07-08 22:35 . 2009-07-08 22:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-07-08 22:07 . 2009-07-09 23:43 -------- d-----w- c:\program files\Lavasoft
2009-07-08 21:51 . 2009-07-08 21:51 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-08 21:35 . 2008-07-16 15:25 1385760 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp.dll
2009-07-08 21:35 . 2008-07-16 15:25 1385760 ----a-w- c:\documents and settings\All Users\Application Data\CA\Consumer\AV\tmp\vete_tmp(2).dll
2009-07-08 19:44 . 2009-07-08 19:44 -------- d-sh--w- C:\found.001
2009-07-08 19:25 . 2009-07-08 19:25 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-18 03:50 . 2009-06-18 03:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-18 03:50 . 2009-06-18 03:50 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-06-18 00:19 . 2009-06-18 00:19 -------- d-----w- c:\docume~1\Steven\APPLIC~1\Apple Computer
2009-06-12 12:27 . 2009-06-12 12:27 -------- d-----w- c:\docume~1\Steven\APPLIC~1\Southwest Airlines
2009-06-11 18:39 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 18:39 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2009-07-10 00:50 . 2008-07-18 00:06 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2009-07-10 00:50 . 2008-07-18 00:06 456070 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2009-07-09 23:43 . 2005-12-02 03:17 -------- d-----w- c:\program files\Real
2009-07-09 23:43 . 2009-03-26 03:19 -------- d-----w- c:\program files\Yahoo!
2009-07-09 23:43 . 2009-01-05 00:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-07-09 23:41 . 2007-03-05 21:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-09 14:47 . 2005-12-02 03:17 -------- d-----w- c:\program files\Common Files\Real
2009-07-09 14:36 . 2005-12-02 03:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-09 11:23 . 2007-03-05 13:18 81424 ----a-w- c:\documents and settings\Steven\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-08 22:23 . 2007-03-05 16:38 -------- d-----w- c:\docume~1\Steven\APPLIC~1\Azureus
2009-07-05 19:08 . 2005-12-02 03:10 -------- d-----w- c:\program files\Java
2009-06-18 01:14 . 2007-06-24 17:04 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-06-18 00:19 . 2009-06-18 00:18 -------- d-----w- c:\program files\iTunes
2009-06-18 00:19 . 2009-06-18 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-18 00:18 . 2009-06-18 00:18 -------- d-----w- c:\program files\iPod
2009-06-18 00:18 . 2009-06-18 00:16 -------- d-----w- c:\program files\Common Files\Apple
2009-06-18 00:18 . 2009-06-18 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-18 00:18 . 2009-06-18 00:18 -------- d-----w- c:\program files\Bonjour
2009-06-18 00:18 . 2009-06-18 00:17 -------- d-----w- c:\program files\QuickTime
2009-06-18 00:17 . 2009-06-18 00:17 -------- d-----w- c:\program files\Apple Software Update
2009-06-18 00:16 . 2009-06-18 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-05 17:57 . 2009-06-05 17:57 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-30 22:43 . 2007-03-05 16:22 -------- d-----w- c:\program files\Google
2009-05-13 19:01 . 2009-05-13 19:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 20:06 . 2009-02-04 02:27 -------- d-----w- c:\program files\Full Tilt Poker
2009-05-11 01:52 . 2008-03-04 02:00 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-05-09 05:14 . 2008-11-28 17:53 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 05:14 . 2008-11-28 17:53 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxpers "= "c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"dla "= "c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"cctray "= "c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-01-24 177392]
"QOELOADER "= "c:\program files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [2008-07-16 14088]
"CAVRID "= "c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-08-20 230664]
"cafwc "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [2008-08-01 1193200]
"capfasem "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [2008-08-01 173296]
"capfupgrade "= "c:\program files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe" [2008-08-01 259312]
"hpqSRMon "= "c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]
"ISUSPM Startup "= "c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SigmatelSysTrayApp "= "stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
2007-05-18 17:30 79368 ----a-w- c:\windows\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@= "Service "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Harmony Monitor.lnk]
backup=c:\windows\pss\Harmony Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Harmony Remote Software 7.lnk]
backup=c:\windows\pss\Logitech Harmony Remote Software 7.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Steven^Start Menu^Programs^Startup^DING!.lnk]
backup=c:\windows\pss\DING!.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend "=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Azureus\\Azureus.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe "=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe "=
"c:\\Documents and Settings\\Steven\\Desktop\\st.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe "=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [6/24/2008 7:08 PM 93712]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [6/24/2008 7:08 PM 63504]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [6/24/2008 7:08 PM 45584]
R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [6/24/2008 7:08 PM 115216]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [6/24/2008 7:08 PM 134648]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [6/24/2008 7:08 PM 66576]
R2 UmxAgent;HIPS Event Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [10/18/2007 10:24 AM 1010192]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [10/18/2007 10:24 AM 801296]
R2 UmxPol;HIPS Policy Manager;c:\program files\CA\SharedComponents\HIPSEngine\UmxPol.exe [6/24/2008 7:10 PM 281104]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [6/24/2008 7:08 PM 88816]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [8/16/2007 9:10 PM 189704]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 gupdate1c9ade18e308a84;Google Update Service (gupdate1c9ade18e308a84);c:\program files\Google\Update\GoogleUpdate.exe [3/26/2009 3:07 AM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; "c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-07-01 c:\windows\Tasks\CAAntiSpywareScan_Daily as Steven at 1 24 AM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2007-08-17 01:10]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 07:07]

2009-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-26 07:07]

2008-11-29 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]

2009-07-09 c:\windows\Tasks\User_Feed_Synchronization-{E0778E57-5CFD-4B13-B33B-CF080291BEC0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
Notify-avgrsstarter - avgrsstx.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: {{10F055B8-F443-4adf-948A-EC551E9DBCE4} - c:\documents and settings\Steven\Start Menu\Programs\UltimateBet\UltimateBet.lnk
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\docume~1\Steven\APPLIC~1\Mozilla\Firefox\Profiles\aja2xtyr.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 21:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\UmxWnp.Dll
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-07-10 21:08
ComboFix-quarantined-files.txt 2009-07-10 01:08

Pre-Run: 36,377,178,112 bytes free
Post-Run: 36,544,520,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

282 --- E O F --- 2009-07-09 22:46

trub · 2009/07/09

Went back and got log from C:\Combofix.txt . Seems to be it.

broni · 2009/07/09

Uninstall Combofix:

Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, mark the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

Post fresh HijackThis log as well.

trub · 2009/07/09

Hey broni; I ran Start run combofix /u but the program tried to restart not uninstall. Please advise. Also on restart CHKDSK was initiated saying File System is NTFS Volume (c) dirty. Aren't you glad you found me LOL.

broni · 2009/07/09

Delete Combofix, Qoobox folders,and Combofix.txt file from C:
Delete Combofix from your desktop

Also on restart CHKDSK was initiated saying File System is NTFS Volume (c) dirty.
Click to expand...

Remind me, when we're done with Dr. Web, and new HJT log.

Aren't you glad you found me LOL.
Click to expand...

Sure thing

trub · 2009/07/09

Combofix removed. Dr.WebCureit running although the only drive I can red dot is the C. Is this ok.

broni · 2009/07/09

It's fine.

trub · 2009/07/09

This scan may take a while. I will post both its report and a new Hijack log as soon as possible. Will you be available tomorrow (approx time Eastern)?

broni · 2009/07/09

I'll be up for another couple of hours, and tomorrow, I'll be around for a bit in the morning (Pacific), and then in the afternoon.

trub · 2009/07/09

I will stay up late enough to get you these next results. Might have to finish up tomorrow or so. Again I can not thank you enough for you help. When I come to Cali dinners on me.

broni · 2009/07/09

Sounds good

trub · 2009/07/10

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:23 AM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Steven\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Steven\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173102757265
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O18 - Protocol: bw+0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: offline-8876480 - {D9B28CEA-168D-49EC-8D94-1E863103F8C7} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Update Service (gupdate1c9ade18e308a84) (gupdate1c9ade18e308a84) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 24884 bytes

trub · 2009/07/10

npCouponPrinter.dll;C:\Program Files\Mozilla Firefox\plugins;Adware.Coupons.34;;
A0146210.reg;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP951;Trojan.StartPage.1505;Deleted.;
A0146574.reg;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP952;Trojan.StartPage.1505;Deleted.;
A0152642.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Probably BATCH.Virus;;
A0152707.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Probably BATCH.Virus;;
A0152766.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960\A0152766.exe/data002;Probably BATCH.Virus;;
data002;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Archive contains infected objects;;
A0152766.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Container contains infected objects;Moved.;
A0152793.ocx;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Adware.Coupons.34;;
A0152829.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Probably BATCH.Virus;;
A0152880.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Probably BATCH.Virus;;
A0152943.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960\A0152943.exe/data002;Probably BATCH.Virus;;
data002;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Archive contains infected objects;;
A0152943.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Container contains infected objects;Moved.;
A0152969.bat;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP960;Probably BATCH.Virus;;

broni · 2009/07/10

Good. Dr. Web didn't find much, mostly in system restore, which we'll flush clean anyway.

Please download [color= "#FF8C00"]JavaRa[/color] to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

=================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

- R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
- O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
- O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (file missing)
- O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
- O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
- O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (file missing)
- O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
- O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
- O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
- O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll (file missing)
- O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
- O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
- ALL O18 entries
- O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

4. You may also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
- O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
- O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
- O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
- O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
- O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
- O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
- O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (leave it alone, if you have paid version)
- O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
- O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (leave it alone, if you have paid version)

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

trub · 2009/07/10

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:49 AM, on 7/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe "
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe "
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe "
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Steven\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra 'Tools' menuitem: UltimateBet - {10F055B8-F443-4adf-948A-EC551E9DBCE4} - C:\Documents and Settings\Steven\Start Menu\Programs\UltimateBet\UltimateBet.lnk
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173102757265
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Google Update Service (gupdate1c9ade18e308a84) (gupdate1c9ade18e308a84) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10236 bytes

trub · 2009/07/10

Current Java is java ra version 1.14.0.1655. Can not open it in control panel to effect any changes.

trub · 2009/07/10

sorry Java version is 6.0.110 with update 11. Still no control over it with control panel functions.

broni · 2009/07/10

Did you use JavaRa to make changes?
We can deal with this issue tomorrow, because I'm ready to take some rest.

At this point....

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Let me know, how is your computer doing.

trub · 2009/07/10

Yes used Java ra. Will double check it. I will finish up what you have given me and touch base tomorrow or today if you prefer. Thanks for all the help.

Log in or Sign up

Solved win32/AMalum virus start up issues

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved win32/AMalum virus start up issues

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

trub Well-Known Member Thread Starter

broni Moderator Malware Analyst

trub Well-Known Member Thread Starter

Share This Page

Useful Searches