imincalgary

11 Posts

September 27th, 2008 02:00

Windows defender going crazy with constant pop up warnings.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:46:59 PM, on 26/09/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Calendar\lmi\x86\LogMeInSystray.exe
C:\Program Files\Windows Calendar\lmi\x86\LMIGuardian.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\admin\MediaTubeCodec_ver1.1502.0.exe
C:\Windows\explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\conime.exe
C:\Program Files\The Cleaner Demo\cleaner.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\OPC\{31011D49-D90C-4da0-878B-78D28AD507AF}\CfgWiz.exe
C:\Program Files\Symantec\LiveUpdate\LUAll.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {129D532E-E2EC-4527-B4BA-4626830EFE18} - C:\Windows\dfmlxbpkbkl.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: peltodgx - {BAB8F6DC-41B1-440F-A066-AAC224906880} - C:\Windows\peltodgx.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\Windows Calendar\lmi\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [\YUR2B27.exe] C:\Windows\system32\YUR2B27.exe
O4 - HKLM\..\Run: [\YUR2CFC.exe] C:\Windows\system32\YUR2CFC.exe
O4 - HKLM\..\Run: [\YUR3132.exe] C:\Windows\system32\YUR3132.exe
O4 - HKLM\..\Run: [\YUR3A6A.exe] C:\Windows\system32\YUR3A6A.exe
O4 - HKLM\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [] C:\Users\admin\AppData\Roaming\Adobe\Player.exe
O4 - HKCU\..\Run: [\YUR2B27.exe] C:\Windows\system32\YUR2B27.exe
O4 - HKCU\..\Run: [\YUR2CFC.exe] C:\Windows\system32\YUR2CFC.exe
O4 - HKCU\..\Run: [\YUR3132.exe] C:\Windows\system32\YUR3132.exe
O4 - HKCU\..\Run: [\YUR3A6A.exe] C:\Windows\system32\YUR3A6A.exe
O4 - HKCU\..\Run: [ANTIVIRUS] C:\Program Files\MicroAV\MicroAV.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\LogMeIn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8155 bytes

Responses(15)

Bugbatter

20.5K Posts

September 27th, 2008 17:00

Welcome. Thank you for using Dell Community Forums.
I am reviewing your log.
In the meantime, you can help me by addressing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. That includes torrents.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. If you have music files in those programs' folders that you want to save, please move those music files to another directory.
A list of P2P's is here: http://www.dellcommunity.com/supportforums/board/message?board.id=si_virus&thread.id=69430

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

* During the course of our cleanup please do not do any online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

* After one week if you have not replied to my most recent post, I will consider this forum thread INACTIVE. If you would like me to continue handling your issue after that time, please send me a Private Message with a request to do so.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HijackThis log at the top of this board to start a new forum topic.

imincalgary

11 Posts

September 28th, 2008 21:00

here is log again after a restart and nothing else running.

no posts on any other forum. only here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:03 PM, on 28/09/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Users\admin\AppData\Roaming\Adobe\Player.exe
C:\Program Files\Smart Antivirus 2009\Smart Antivirus-2009.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\admin\AppData\Local\Temp\Setup_ver1.1454.0.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: QXK Olive - {129D532E-E2EC-4527-B4BA-4626830EFE18} - C:\Windows\dfmlxbpkbkl.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {32C603AC-8848-4250-9181-CCE894B8DF2F} - C:\Windows\system32\jkkjiFyA.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: QXK Olive - {75CFDBEA-56E3-4065-B218-4A11FE8C46DB} - C:\Windows\dfmlxbpkeqv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: peltodgx - {BAB8F6DC-41B1-440F-A066-AAC224906880} - C:\Windows\peltodgx.dll (file missing)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\Windows Calendar\lmi\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [\YUR56C6.exe] C:\Windows\system32\YUR56C6.exe
O4 - HKLM\..\Run: [\YUR5280.exe] C:\Windows\system32\YUR5280.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\awTnKdDV.dll,#1
O4 - HKLM\..\Run: [4c262ed2] rundll32.exe "C:\Windows\system32\dgtbofuu.dll",b
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [] C:\Users\admin\AppData\Roaming\Adobe\Player.exe
O4 - HKCU\..\Run: [\YUR56C6.exe] C:\Windows\system32\YUR56C6.exe
O4 - HKCU\..\Run: [\YUR5280.exe] C:\Windows\system32\YUR5280.exe
O4 - HKCU\..\Run: [Smart Antivirus-2009.exe] C:\Program Files\Smart Antivirus 2009\Smart Antivirus-2009.exe
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec Eraser Service (EraserSvc10823) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\LogMeIn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8859 bytes

Bugbatter

20.5K Posts

September 28th, 2008 22:00

Please download Malwarebytes' Anti-Malware from Here or Here

Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. :(see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
Please include a fresh HijackThis log as well.
Notes:

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

**If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

imincalgary

11 Posts

September 30th, 2008 12:00

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:36 AM, on 30/09/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Calendar\lmi\x86\RaMaint.exe
C:\Program Files\Windows Calendar\lmi\x86\LogMeIn.exe
C:\Program Files\Windows Calendar\lmi\x86\LMIGuardian.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\System32\CtHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Calendar\lmi\x86\LogMeInSystray.exe
C:\Program Files\Windows Calendar\lmi\x86\LMIGuardian.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {BAB8F6DC-41B1-440F-A066-AAC224906880} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\Windows Calendar\lmi\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\LogMeIn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9599 bytes

imincalgary

11 Posts

September 30th, 2008 12:00

Malwarebytes' Anti-Malware 1.28
Database version: 1223
Windows 6.0.6001 Service Pack 1

30/09/2008 7:18:48 AM
mbam-log-2008-09-30 (07-18-47).txt

Scan type: Quick Scan
Objects scanned: 48244
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 18
Registry Values Infected: 8
Registry Data Items Infected: 3
Folders Infected: 7
Files Infected: 89

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\jkkjiFyA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\ntotnlki.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\tvrtowig.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\byXNdApN.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29e680c9-7d15-4f82-ae78-a4a231159079} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{29e680c9-7d15-4f82-ae78-a4a231159079} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7499c7d9-f599-4b91-b0fc-fbea946a5692} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7499c7d9-f599-4b91-b0fc-fbea946a5692} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\peltodgx.bqxp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\peltodgx.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bab8f6dc-41b1-440f-a066-aac224906880} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{129d532e-e2ec-4527-b4ba-4626830efe18} (Rogue.MicroAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{129d532e-e2ec-4527-b4ba-4626830efe18} (Rogue.MicroAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b4060a99-16fb-4e56-acb0-eddb15657062} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{89f37dea-602e-4a19-81cb-07d6320d3bcd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f2f6e2ca-d64a-4167-bd75-99ef00510e8f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{75cfdbea-56e3-4065-b218-4a11fe8c46db} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{75cfdbea-56e3-4065-b218-4a11fe8c46db} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4c262ed2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7499c7d9-f599-4b91-b0fc-fbea946a5692} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msserver (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur56c6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5280.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur56c6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\yur5280.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\jkkjifya -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkjifya -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\Smart Antivirus 2009 (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Smart Antivirus 2009\Infected (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Smart Antivirus 2009\Suspicious (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Smart Antivirus 2009 (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Antivirus 2009 (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\jkkjiFyA.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\AyFijkkj.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\AyFijkkj.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\dgtbofuu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\uufobtgd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ntotnlki.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\iklntotn.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\tvrtowig.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\giwotrvt.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\byXNdApN.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Windows\System32\ssqPjhfg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\awtrPfda.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\awtsPJYq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\awtusqpM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ddcBqnLd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\ddcBRjJD.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fccaAqrQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fccbbywV.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fccdBSml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBrppml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBrrRJC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBtsPfC.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBtUolL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\geBtusRj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hgGaAQjG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hggDSlif.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\hgGwTkIx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\iifcDUNG.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\iifdDuSk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\iifgfggf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jkkiJcDT.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jkkLCtUm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jkkLETNe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\jkkLEXOF.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\khFVLeeb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\mlJDvTKB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnnlmNGW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnnmnmKd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnnmnnll.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\nnnmnomM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\opnkhFxw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\opnlJdaB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\qoMdDtus.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\rqRIyAsQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\tuvSiGyy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\tuvSMCuv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\urqOIaax.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vtUlLDVn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\vtuspOhi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\wvUnOETj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\xxywTNGw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\xxyYoPjg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\xxyyxWnl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\tmp000104ae (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\tmp00015a9e (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\tmp000186a0 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\tmp000213cc (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\tmp00d0949b (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\Smart Antivirus 2009\vscan.tsi (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\Smart Antivirus 2009\zlib.dll (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Smart Antivirus 2009\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV.ooo (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV0.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\MicroAV\MicroAV1.dat (Rogue.MicroAntivirus) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Smart Antivirus 2009\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Users\admin\Desktop\Micro Antivirus 2009.lnk (Rogue.XPertAntivirus) -> Quarantined and deleted successfully.
C:\Users\admin\Desktop\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Windows\System32\1.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\2.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Roaming\Adobe\Player.exe (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\TDSSl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\onfwbsak.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\dfmlxbpkeqv.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\TDSS3925.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\TDSS497b.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\sfsrv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\msfont32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\admin\AppData\Local\Temp\sft_ver1.1454.0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\admin\MediaTubeCodec_ver1.1502.0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\cal\Desktop\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.
C:\Users\cal\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Smart Antivirus-2009.lnk (Rogue.SmartAntivirus) -> Quarantined and deleted successfully.

Bugbatter

20.5K Posts

September 30th, 2008 15:00

You had a lot of malware in there. I'm surprised at that, considering that the OS is Vista.

Because you are using Vista, please print and review this information regarding Recovery in Windows Vista:
http://windowshelp.microsoft.com/Windows/en-US/help/326b756b-1601-435e-99d0-1585439470351033.mspx
Most likely you will not need it, but in the event that you have problems after running Combofix, you will have the information.

Please download Combofix from HERE

** Take note that the link is case sensitive
Save ComboFix to the desktop. **Note: It is important that it is saved directly to, and run from your desktop**

* Close any open browsers. Disconnect from the internet.
* Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
Double click ComboFix.exe and follow the prompts.
You will temporarily lose the Desktop while the scan is running. Once the scan is done your Desktop will return to normal.

When finished, it will produce a log for you. The report is located at C:\ComboFix.txt. Post that log in your next reply along with a fresh HijackThis log.

Notes:
* Do not mouseclick ComboFix's window while it's running. That may cause it to stall.
* ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
* Don't forget to enable your anti-virus before coming back online to post your logs.

Note: The above instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an expert, not for private use.

imincalgary

11 Posts

September 30th, 2008 23:00

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:12 PM, on 30/09/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\conime.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DevconDefaultDB] C:\Windows\system32\READREG /SILENT /FAIL=1 (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\Windows Calendar\lmi\x86\LogMeIn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6531 bytes

imincalgary

11 Posts

September 30th, 2008 23:00

ComboFix 08-09-30.03 - admin 2008-09-30 18:37:59.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium   6.0.6001.1.1252.1.1033.18.388 [GMT -6:00]
Running from: C:\Users\admin\Downloads\ComboFix.exe
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Users\admin\AppData\Roaming\Adobe\crc.dat
C:\Windows\system32\brwdtwyu.ini

----- BITS: Possible infected sites -----

hxxp://91.203.93.6
hxxp://78.157.143.198
hxxp://liveupdateservice.cn
hxxp://78.157.143.163
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MCHINJDRV
-------\Legacy_NPF
-------\Service_NPF

(((((((((((((((((((((((((   Files Created from 2008-09-01 to 2008-10-01 )))))))))))))))))))))))))))))))
.

2008-09-29 21:40 . 2008-09-29 21:40        d--------    C:\Users\All Users\Malwarebytes
2008-09-29 21:40 . 2008-09-29 21:40        d--------    C:\Users\admin\AppData\Roaming\Malwarebytes
2008-09-29 21:40 . 2008-09-29 21:40        d--------    C:\ProgramData\Malwarebytes
2008-09-29 21:40 . 2008-09-29 21:48        d--------    C:\Program Files\Malwarebytes' Anti-Malware
2008-09-29 21:40 . 2008-09-10 00:04    38,528    --a------    C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-29 21:40 . 2008-09-10 00:03    17,200    --a------    C:\Windows\System32\drivers\mbam.sys
2008-09-28 23:55 . 2008-09-30 18:33        d-a------    C:\Users\All Users\TEMP
2008-09-28 23:55 . 2008-09-30 18:33        d-a------    C:\ProgramData\TEMP
2008-09-28 17:12 . 2008-08-25 11:36    81,288    --a------    C:\Windows\System32\drivers\iksyssec.sys
2008-09-28 17:12 . 2008-08-25 11:36    66,952    --a------    C:\Windows\System32\drivers\iksysflt.sys
2008-09-28 17:12 . 2008-08-25 11:36    40,840    --a------    C:\Windows\System32\drivers\ikfilesec.sys
2008-09-28 17:12 . 2008-06-02 15:19    29,576    --a------    C:\Windows\System32\drivers\kcom.sys
2008-09-28 17:11 . 2008-09-28 17:11        d--------    C:\Users\admin\AppData\Roaming\PC Tools
2008-09-28 17:11 . 2008-09-30 06:05        d--------    C:\Program Files\Spyware Doctor
2008-09-27 19:27 . 2008-09-27 19:27    246    --ah-----    C:\aaw7boot.cmd
2008-09-26 23:55 . 2008-09-27 00:16        d--------    C:\Users\All Users\Lavasoft
2008-09-26 23:55 . 2008-09-27 00:16        d--------    C:\ProgramData\Lavasoft
2008-09-26 23:55 . 2008-09-26 23:55        d--------    C:\Program Files\Lavasoft
2008-09-26 21:10 . 2008-09-26 21:10    16    --a------    C:\Windows\System32\coh.cache
2008-09-26 20:45 . 2008-09-26 20:45        d--------    C:\Program Files\Trend Micro
2008-09-26 20:27 . 2008-09-27 21:40        d--------    C:\Program Files\Norton Internet Security
2008-09-26 20:26 . 2008-09-26 20:51    123,952    --a------    C:\Windows\System32\drivers\SYMEVENT.SYS
2008-09-26 20:26 . 2008-09-26 20:51    10,671    --a------    C:\Windows\System32\drivers\SYMEVENT.CAT
2008-09-26 20:26 . 2008-09-26 20:51    805    --a------    C:\Windows\System32\drivers\SYMEVENT.INF
2008-09-26 20:21 . 2008-09-30 08:08        d--------    C:\Users\All Users\Symantec
2008-09-26 20:21 . 2008-09-30 08:08        d--------    C:\ProgramData\Symantec
2008-09-26 20:21 . 2008-09-26 20:51        d--------    C:\Program Files\Symantec
2008-09-26 20:21 . 2008-09-26 20:48        d--------    C:\Program Files\Common Files\Symantec Shared
2008-09-26 07:05 . 2008-09-26 23:50        d--------    C:\Program Files\The Cleaner Demo
2008-09-20 20:04 . 2008-09-20 20:04    107,888    --a------    C:\Windows\System32\CmdLineExt.dll
2008-09-20 19:55 . 2008-09-20 19:55        d--------    C:\Program Files\EA Games
2008-09-20 19:55 . 2007-07-19 18:14    3,727,720    --a------    C:\Windows\System32\d3dx9_35.dll
2008-09-20 19:55 . 2007-07-19 18:14    1,358,192    --a------    C:\Windows\System32\D3DCompiler_35.dll
2008-09-20 19:55 . 2007-07-19 18:14    444,776    --a------    C:\Windows\System32\d3dx10_35.dll
2008-09-12 20:47 . 2005-04-15 19:58    1,071,088    --a------    C:\Windows\System32\MSCOMCTL.OCX
2008-09-12 20:47 . 2003-07-06 14:07    372,736    --a------    C:\Windows\System32\_IJL11.DLL
2008-09-12 20:47 . 2004-03-09 00:00    212,240    --a------    C:\Windows\System32\RICHTX32.OCX
2008-09-12 20:47 . 2004-03-09 00:00    124,688    --a------    C:\Windows\System32\MSWINSCK.OCX
2008-09-12 20:47 . 2004-02-23 00:00    119,808    --a------    C:\Windows\System32\MSSTDFMT.DLL
2008-09-09 23:00 . 2008-07-30 19:13    4,240,384    --a------    C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-09 23:00 . 2008-07-30 21:32    28,160    --a------    C:\Windows\System32\Apphlpdm.dll
2008-09-09 22:37 . 2008-08-01 19:01    625,152    --a------    C:\Windows\System32\drivers\dxgkrnl.sys
2008-09-09 22:37 . 2008-06-25 21:29    565,248    --a------    C:\Windows\System32\emdmgmt.dll
2008-09-09 22:37 . 2008-06-25 21:29    303,616    --a------    C:\Windows\System32\wmpeffects.dll
2008-09-09 22:37 . 2008-05-08 13:21    211,968    --a------    C:\Windows\System32\drivers\mrxsmb10.sys
2008-09-09 22:37 . 2008-05-19 20:07    148,480    --a------    C:\Windows\System32\drivers\nwifi.sys
2008-09-09 22:37 . 2008-06-25 21:29    45,056    --a------    C:\Windows\System32\dataclen.dll
2008-09-09 22:37 . 2008-08-01 21:26    36,864    --a------    C:\Windows\System32\cdd.dll
2008-09-04 17:59 . 2008-09-04 17:59        d--------    C:\Users\All Users\LogMeIn
2008-09-04 17:59 . 2008-09-04 17:59        d--------    C:\ProgramData\LogMeIn
2008-09-04 17:59 . 2008-05-28 12:32    87,352    --a------    C:\Windows\System32\LMIinit.dll
2008-09-04 17:59 . 2008-05-28 12:33    83,288    --a------    C:\Windows\System32\LMIRfsClientNP.dll
2008-09-04 17:59 . 2008-03-07 13:39    45,848    --a------    C:\Windows\System32\drivers\LMIRfsDriver.sys
2008-09-04 17:59 . 2008-05-28 12:33    24,608    --a------    C:\Windows\System32\LMIport.dll
2008-09-04 17:59 . 2008-09-04 17:59    1,024    --a------    C:\.rnd
2008-09-03 23:46 . 2008-07-18 23:09    1,811,656    --a------    C:\Windows\System32\wuaueng.dll
2008-09-03 23:46 . 2008-07-18 21:44    1,524,736    --a------    C:\Windows\System32\wucltux.dll
2008-09-03 23:46 . 2008-07-18 23:09    563,912    --a------    C:\Windows\System32\wuapi.dll
2008-09-03 23:46 . 2008-07-18 22:08    163,904    --a------    C:\Windows\System32\wuwebv.dll
2008-09-03 23:46 . 2008-07-18 21:44    83,456    --a------    C:\Windows\System32\wudriver.dll
2008-09-03 23:46 . 2008-07-18 23:10    53,448    --a------    C:\Windows\System32\wuauclt.exe
2008-09-03 23:46 . 2008-07-18 23:10    45,768    --a------    C:\Windows\System32\wups2.dll
2008-09-03 23:46 . 2008-07-18 23:10    36,552    --a------    C:\Windows\System32\wups.dll
2008-09-03 23:46 . 2008-07-18 20:44    31,232    --a------    C:\Windows\System32\wuapp.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 23:02    ---------    d-----w    C:\Program Files\Winamp
2008-09-27 05:53    ---------    d-----w    C:\Program Files\Common Files\Wise Installation Wizard
2008-09-27 03:10    ---------    d-----w    C:\Users\admin\AppData\Roaming\Azureus
2008-09-13 02:31    ---------    d-----w    C:\ProgramData\avg8
2008-09-07 03:20    ---------    d-----w    C:\Users\admin\AppData\Roaming\LimeWire
2008-09-04 23:59    ---------    d-----w    C:\Program Files\Windows Calendar
2008-09-04 00:49    ---------    d-----w    C:\Program Files\LimeWire
2008-09-01 01:25    ---------    d-----w    C:\ProgramData\FLEXnet
2008-09-01 01:17    ---------    d-----w    C:\Program Files\Common Files\Adobe
2008-09-01 01:17    ---------    d-----w    C:\Program Files\Bonjour
2008-09-01 01:10    ---------    d-----w    C:\Program Files\Common Files\Macrovision Shared
2008-09-01 00:47    ---------    d-----w    C:\Program Files\MagicISO
2008-08-27 23:20    ---------    d-----w    C:\Program Files\WinPcap
2008-08-25 04:18    ---------    d-----w    C:\Users\admin\AppData\Roaming\DAEMON Tools
2008-08-25 01:16    ---------    d-----w    C:\Users\admin\AppData\Roaming\Winamp
2008-08-25 01:09    ---------    dcsh--w    C:\Program Files\Common Files\WindowsLiveInstaller
2008-08-25 01:09    ---------    d-----w    C:\Program Files\QuickTime
2008-08-25 01:08    ---------    d--h--w    C:\Program Files\InstallShield Installation Information
2008-08-25 01:08    ---------    d-----w    C:\Program Files\Creative
2008-08-25 01:07    ---------    d-----w    C:\Program Files\OpenAL
2008-08-25 01:00    ---------    d-----w    C:\Program Files\Common Files\InstallShield
2008-08-22 01:03    ---------    d-----w    C:\Users\admin\AppData\Roaming\vlc
2008-08-20 15:53    ---------    d-----w    C:\Program Files\Windows Live
2008-08-20 15:52    ---------    d-----w    C:\ProgramData\WLInstaller
2008-08-16 18:54    ---------    d-----w    C:\Program Files\Sun
2008-08-16 18:52    ---------    d-----w    C:\Program Files\Java
2008-08-14 22:33    ---------    d-----w    C:\Program Files\Windows Mail
2008-07-31 03:32    460,288    ----a-w    C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32    2,154,496    ----a-w    C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32    173,056    ----a-w    C:\Windows\AppPatch\AcXtrnal.dll
2008-06-14 06:11    174    --sha-w    C:\Program Files\desktop.ini
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"WindowsWelcomeCenter"="oobefldr.dll" [2008-01-19 C:\Windows\System32\oobefldr.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"LogMeIn GUI"="C:\Program Files\Windows Calendar\lmi\x86\LogMeInSystray.exe" [2008-02-28 63048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"CTHelper"="CTHELPER.EXE" [2008-06-27 C:\Windows\System32\CtHelper.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DevconDefaultDB"="C:\Windows\system32\READREG"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableStatusMessages"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

imincalgary

11 Posts

September 30th, 2008 23:00

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-55946757-1851201693-3463079346-1000]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{EF0124E2-95E9-4634-92B5-3BF0EA2072EF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{3562A8E6-F9CD-4C3D-8DF3-87312944BA6F}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{3178B8E0-B052-46C6-AB8C-FD3022A884B9}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{0485759C-A6BC-4A22-AC55-A584443DA7DC}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{3F354576-5BF8-4E0B-AFDB-C8A3150258D3}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{9037CFFD-C7A9-4337-9218-CB02C48DE1A1}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C404D1B7-2B42-4787-8E16-4B6BAF7FAAA3}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{6EACFAF1-CFD3-41D5-B2D4-464D31145FBE}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{8D8544C3-5DD6-402D-8C32-D3C178B1FF84}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 1 (0x1)

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080926.002\IDSvix86.sys [2008-09-12 270384]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\Windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
R3 COMMONFX.SYS;COMMONFX.SYS;C:\Windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;C:\Windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;C:\Windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\Windows Calendar\lmi\x86\RaInfo.sys [2008-02-28 12856]
S3 COMMONFX;COMMONFX;C:\Windows\system32\drivers\COMMONFX.SYS [2008-06-27 99352]
S3 CTAUDFX;CTAUDFX;C:\Windows\system32\drivers\CTAUDFX.SYS [2008-06-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;C:\Windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTERFXFX;CTERFXFX;C:\Windows\system32\drivers\CTERFXFX.SYS [2008-06-27 100888]
S3 CTSBLFX;CTSBLFX;C:\Windows\system32\drivers\CTSBLFX.SYS [2008-06-27 566296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8056480c-2d36-11dd-ac3f-806e6f6e6963}]
\shell\AutoRun\command - D:\autorun.exe
\shell\readit\command - notepad readme.doc

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce- - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\2ideb1by.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca
FF -: plugin - C:\Program Files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.
.
------- File Associations -------
.
exefile="%1" %*"
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 18:46:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> ?:\Windows\system32\SXS.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\System32\conime.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2008-09-30 18:52:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-01 00:52:09

Pre-Run: 66,559,913,984 bytes free
Post-Run: 67,348,025,344 bytes free

241 --- E O F --- 2008-09-26 04:33:53

Bugbatter

20.5K Posts

October 1st, 2008 11:00

Considering the P2P you were using, I'm not surprised you became so infected.

Run Hijackthis and place a checkmark next to this:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Close all other windows and click "Fix Checked". Close Hijackthis and reboot.

How is everything running now? If things are back to normal, we'll remove Combofix, flush System Restore, and you'll be good to go.

Message Edited by Bugbatter on 10-01-2008 08:16 AM

imincalgary

11 Posts

October 2nd, 2008 01:00

seems to be running good. appears to be a little faster.

Bugbatter

20.5K Posts

October 2nd, 2008 15:00

It's time for some housekeeping. Sweeping

Run DiskCleanup in each user's profile.

1. Open Disk Cleanup by clicking the Start button Picture of the Start button, clicking All Programs, clicking Accessories, clicking System Tools, and then clicking Disk Cleanup.
2. In the Disk Cleanup Options dialog box, choose whether you want to clean up your own files only or all of the files on the computer. Administrator permission required If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. If the Disk Cleanup: Drive Selection dialog box appears, select the hard disk drive that you want to clean up, and then click OK.
4. Click the Disk Cleanup tab.
* Please make sure only the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
5. When you finish selecting the files you want to delete, click OK, and then click Delete files to confirm the operation. Disk Cleanup proceeds to remove all unnecessary files from your computer.

Because the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, along with the folders created by these tools.

* Click Start then Run
* Now type Combofix /u in the runbox and click OK.
Notice the space between the X and the /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

The following suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.
Note: Zone Alarm Firewall (by Checkpoint) has a free version http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads

3.You might consider installing Mozilla / Firefox.
http://www.mozilla.com/en-US/

4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known
vulnerabilities.

5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.malwarebytes.org/database.php

6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/
** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

7. Practice Safe Surfing with with TrendProtect by Trend Micro. This is not compatible with Firefox 3.0 yet.
TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content.

The following color codes are used by TrendProtect to indicate the safety of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown

8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.

9. Here are some helpful articles:
"How did I get infected?"
http://www.bleepingcomputer.com/forums/topic2520.html

"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

imincalgary

11 Posts

October 8th, 2008 23:00

ok. alls fine, except, now, this probably needs to go to a differnet forum here, but, i cannot access my screensaver options after doing everything else to fix my computer.

I right click the desktop, goto "personalize" and click on screensaver, it opens my display settings. any ides?

Bugbatter

20.5K Posts

October 11th, 2008 01:00

See if this helps:

Please run Notepad and paste the text between the lines into a new file. Do not copy the dotted lines.
* Make sure that Word Wrap is turned off in Notepad - (click the Format menu and uncheck Word Wrap)
Important:
Make sure there are NO blank lines before Windows Registry Editor Version 5.00
Make sure there is one blank line at the end of the file
Make sure that you have copied all of the text (e.g. Don't miss the first 'W'.)

------------------------------------------------------------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=hex:00,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"SetVisualStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00

-------------------------------------------------------------------------------------
Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

imincalgary

11 Posts

October 13th, 2008 02:00

done it, but still same thing. thinking a reformat might be in order :)

View All

No Events found!

Virus & Spyware

Windows defender going crazy with constant pop up warnings.