HJT log

Horchheimer · 11-12-2009, 12:56 AM

Hi guys, I'll try to keep my request for assistance as thorough as possible here.

This past weekend, I had a problem pop up with a VUNDO trojan. I was going to run through all of the processess in the "before you post..." thread, but wasn't able to sign onto the internet because every time I did, my resident shield would pop up with the warning and prevent me from signing onto this site.

So, having gone through this process a few times before, I had all of the programs needed to run a scan through my system... but again, everytime I would try to fire off one of those programs, that warning would pop up preventing me from doing anything.

So, I decided to try to boot in safe mode, in hopes that I could get some initial cleanup done, that would allow me to do so, but instead I came across the BSOD...

Frustrated, I signed using my laptop, and was able to recruit the assistance of arraknid, who got me past the BSOD (thank you again). That thread can be found here... cleverly titled " Can't get past the BSOD "...

Ok, so now that I'm back in business, I was finally able to run through absolutely everything, due to (I believe) some initial cleanup with bitdefender...

Here are all of my logs, and I'd really appreciate it if one of the qualified help2go gurus could help me clean up this mess on my home PC.

If there's anything you need from me, don't hesitate to ask, and I'll do my best to get it to you in a timely fashion. Thank you in advance for your assistance.

One thing I'd like to note;

When I tried to boot up in safe mode, so that I could run the CCleaner, I got to the BSOD again, so i wasn't able to do that part. I did however run it in normal mode and cleared out a bunch of garbage that way, although definitely not as thorough I would assume.

Also, I tried to upload my active scan txt file, but it said that it was too large to upload, so I'll just cut and past it here...

"Scan ""Scan whole computer"" was finished."
"Infections";"5";"0";"5"
"Warnings";"142"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Tuesday, November 10, 2009, 10:43:50 PM"
"Scan finished:";"Wednesday, November 11, 2009, 12:43:07 AM (1 hour(s) 59 minute(s) 17 second(s))"
"Total object scanned:";"412840"
"User who launched the scan:";"Compaq_Owner"

"Infections"
"File";"Infection";"Result"
"C:\Documents and Settings\Compaq_Owner\Desktop\Computer's Stuff\Backup Programs\Computer Programs\EDonkey.exe";"Trojan horse SHeur2.AUAQ";"Infected"
"C:\Documents and Settings\Compaq_Owner\Desktop\Computer's Stuff\Backup Programs\Computer Programs\EDonkey.exe:\$JF\edonkey2000.exe";"Trojan horse SHeur2.AUAQ";"Infected"
"C:\WINDOWS\system32\soyerebo.dll";"Trojan horse Vundo.IJ";"Infected"
"C:\WINDOWS\system32\tayazuvo.dll";"Trojan horse Vundo.IJ";"Infected"
"C:\WINDOWS\system32\wogidiji.dll";"Trojan horse Vundo.IJ";"Infected"

"Warnings"
"File";"Infection";"Result"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt:\2o7.net.29ba1831";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@2o7[2].txt:\2o7.net.3f08ebd";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.539b0606";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.557bf2b0";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.b68f2b7b";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.e626e6be";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ad.yieldmanager[2].txt:\ad.yieldmanager.com.ff92306";"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[2].txt";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[2].txt:\adrevolver.com.61b5dd52";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[2].txt:\adrevolver.com.9b9d670a";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adrevolver[2].txt:\adrevolver.com.f6cfcad4";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt:\advertising.com.1820df7a";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt:\advertising.com.1dfa2206";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt:\advertising.com.203aa218";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt:\advertising.com.525a5fb9";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt:\advertising.com.b624fa46";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@advertising[1].txt:\advertising.com.f62113d5";"Found Tracking cookie.Advertising";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adviva[2].txt";"Found Tracking cookie.Adviva";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adviva[2].txt:\adviva.net.39ec90c";"Found Tracking cookie.Adviva";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adviva[2].txt:\adviva.net.85256b16";"Found Tracking cookie.Adviva";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[1].txt";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[1].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[1].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[3].txt";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[3].txt:\atdmt.com.7247c262";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[3].txt:\atdmt.com.74c5668";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[3].txt:\atdmt.com.9e6d7fd3";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[3].txt:\atdmt.com.b3e33b5f";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[3].txt:\atdmt.com.f4b86dca";"Found Tracking cookie.Atdmt";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluemountain[2].txt";"Found Tracking cookie.Bluemountain";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluemountain[2].txt:\bluemountain.com.cfbfb51c";"Found Tracking cookie.Bluemountain";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluestreak[2].txt";"Found Tracking cookie.Bluestreak";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bluestreak[2].txt:\bluestreak.com.bf396750";"Found Tracking cookie.Bluestreak";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bs.serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bs.serving-sys[2].txt:\bs.serving-sys.com.5bf1f00f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstbeacon[1].txt";"Found Tracking cookie.Burstbeacon";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstbeacon[1].txt:\burstbeacon.com.c4fe2ebb";"Found Tracking cookie.Burstbeacon";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[1].txt";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[1].txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[2].txt";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[2].txt:\burstnet.com.27341d57";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@burstnet[2].txt:\burstnet.com.c4fe2ebb";"Found Tracking cookie.Burstnet";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.156cbc67";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.3a28db8d";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.650648e8";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.8c65eddd";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[1].txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.156cbc67";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.1773afc";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.2d37ad26";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.350339d4";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.3a28db8d";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.80ad4799";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.987e6b46";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@casalemedia[3].txt:\casalemedia.com.e1f88397";"Found Tracking cookie.Casalemedia";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[1].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@doubleclick[2].txt:\doubleclick.net.bf396750";"Found Tracking cookie.Doubleclick";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@hitbox[2].txt";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@hitbox[2].txt:\hitbox.com.2b95f8a3";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@hitbox[2].txt:\hitbox.com.bbf2a6e8";"Found Tracking cookie.Hitbox";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ivwbox[2].txt";"Found Tracking cookie.Ivwbox";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@ivwbox[2].txt:\ivwbox.de.41d82fe2";"Found Tracking cookie.Ivwbox";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[3].txt";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[3].txt:\media.adrevolver.com.2be00b0";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[3].txt:\media.adrevolver.com.7fd89687";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[5].txt";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[5].txt:\media.adrevolver.com.2be00b0";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@media.adrevolver[5].txt:\media.adrevolver.com.7fd89687";"Found Tracking cookie.Adrevolver";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt:\mediaplex.com.dc30fb3c";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@mediaplex[2].txt:\mediaplex.com.f652b123";"Found Tracking cookie.Mediaplex";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[2].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[2].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[3].txt";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@msnportal.112.2o7[3].txt:\msnportal.112.2o7.net.7225be6f";"Found Tracking cookie.2o7";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[2].txt";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[2].txt:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[2].txt:\overture.com.e626e6be";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[3].txt";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[3].txt:\overture.com.52ca467a";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@overture[3].txt:\overture.com.e626e6be";"Found Tracking cookie.Overture";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pointroll[1].txt";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pointroll[1].txt:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pointroll[1].txt:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pointroll[3].txt";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pointroll[3].txt:\pointroll.com.72c0abc9";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pointroll[3].txt:\pointroll.com.f2d5a6f6";"Found Tracking cookie.Pointroll";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[1].txt:\questionmarket.com.767e4302";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[2].txt";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[2].txt:\questionmarket.com.3eb5a9f1";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@questionmarket[2].txt:\questionmarket.com.4dd5e426";"Found Tracking cookie.Questionmarket";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt:\revsci.net.2df99d79";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt:\revsci.net.44927ec";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt:\revsci.net.738d89d";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt:\revsci.net.8642c85d";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@revsci[1].txt:\revsci.net.e9dbeb91";"Found Tracking cookie.Revsci";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt:\serving-sys.com.255d6f2f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt:\serving-sys.com.4b416ef8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt:\serving-sys.com.606c3d3b";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt:\serving-sys.com.400f83f";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt:\serving-sys.com.6a1cf9e8";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@serving-sys[2].txt:\serving-sys.com.c9034af6";"Found Tracking cookie.Serving-sys";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statse.webtrendslive[1].txt";"Found Tracking cookie.Webtrendslive";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statse.webtrendslive[1].txt:\statse.webtrendslive.com.b4ca7df0";"Found Tracking cookie.Webtrendslive";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt:\tacoda.net.27341d57";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt:\tacoda.net.5935e89";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt:\tacoda.net.c4fe2ebb";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt:\tacoda.net.4366831a";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt:\tacoda.net.cd7ce44f";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tacoda[2].txt:\tacoda.net.ed9c50d1";"Found Tracking cookie.Tacoda";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt:\trafficmp.com.2878eb14";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt:\trafficmp.com.37644bdb";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt:\trafficmp.com.ae53b8b";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt:\trafficmp.com.e2e71e33";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt:\trafficmp.com.a00e30b4";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@trafficmp[2].txt:\trafficmp.com.f3e5803e";"Found Tracking cookie.Trafficmp";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[1].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[3].txt";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tribalfusion[3].txt:\tribalfusion.com.dcc03271";"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt:\zedo.com.27f1639b";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt:\zedo.com.c1dd09f2";"Found Tracking cookie.Zedo";"Potentially dangerous object"
"C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@zedo[2].txt:\zedo.com.ff8ec9c0";"Found Tracking cookie.Zedo";"Potentially dangerous object"

evilfantasy · 11-13-2009, 04:09 PM

Hello Horchheimer.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O18 - Filter hijack: text/html - {c8a4b7ab-4f47-4d2d-930b-fc4b85fcfbb1} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\fepayaju.dll fufalovi.dll wohobiye.dll c:\windows\system32\makizomo.dll
O21 - SSODL: tezizeluy - {0bfa0ecd-360e-4373-bf34-7faca30a668d} - (no file)
O21 - SSODL: bezeyeset - {797f1c19-c194-4333-aa85-a8565f51d20e} - c:\windows\system32\makizomo.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {0bfa0ecd-360e-4373-bf34-7faca30a668d} - (no file)
O22 - SharedTaskScheduler: mujuzedij - {797f1c19-c194-4333-aa85-a8565f51d20e} - c:\windows\system32\makizomo.dll (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Horchheimer · 11-13-2009, 06:34 PM

Thanks evilfantasy. Please feel free to call me Kurt.

I cleared out those things you told me to that were in my HJT log. I also disabled everything that I thought was turned on (I've downloaded a lot of different spyware/virus programs in the past, and can't be 100% sure if they were all turned off).

I also ran the ComboFix and am posting my log. Just an FYI, when it was done, I had an error window pop up that said the following.

MBAM.EXE - unable to load compontent

This application failed to start because MSVBVM60.DLL was not found. Reinstalling the application may fix this problem.

And the log

ComboFix 09-11-13.06 - Compaq_Owner 11/13/2009 17:44.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.137 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Compaq_Owner\Application Data\evahal.inf
c:\documents and settings\Compaq_Owner\Cookies\codyhebof.inf
c:\documents and settings\Compaq_Owner\Cookies\sowubi._dl
c:\documents and settings\Compaq_Owner\Cookies\ukegomoq.vbs
c:\program files\Shared
c:\windows\ewyxyqiqig._sy
c:\windows\patch.exe
c:\windows\system\msvbvm60.dll
c:\windows\system32\icalc32.exe.tmp
c:\windows\system32\open.ico
c:\windows\system32\Process.exe
c:\windows\system32\ps2.bat

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 22:55 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-11-13 22:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-13 00:23 . 2009-11-13 18:44 -------- d-----w- c:\windows\LastGood.Tmp
2009-11-12 00:01 . 2009-11-12 00:01 117760 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-11 23:58 . 2009-11-11 23:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-10 21:44 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-27 03:52 . 2009-10-27 03:52 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Nitro PDF
2009-10-27 03:50 . 2009-09-15 14:16 17728 ----a-w- c:\windows\system32\nitrolocalui.dll
2009-10-27 03:50 . 2009-09-15 14:15 26432 ----a-w- c:\windows\system32\nitrolocalmon.dll
2009-10-27 03:49 . 2009-10-27 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Nitro PDF
2009-10-27 03:49 . 2009-10-27 03:49 -------- d-----w- c:\program files\Common Files\Nitro PDF
2009-10-27 03:48 . 2009-10-27 03:48 -------- d-----w- c:\program files\Nitro PDF
2009-10-27 03:45 . 2009-10-27 03:45 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 22:59 . 2008-11-29 06:38 -------- d-----w- c:\program files\DNA
2009-11-13 22:59 . 2008-11-29 06:38 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DNA
2009-11-11 23:59 . 2008-09-12 01:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-11 23:58 . 2008-09-12 01:28 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\SUPERAntiSpyware.com
2009-11-11 23:56 . 2008-09-11 23:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 14:51 . 2008-09-28 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-11 15:08 . 2009-05-14 19:32 -------- d-----w- c:\program files\Verizon
2009-10-11 00:37 . 2009-10-11 00:37 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\GARMIN
2009-10-11 00:36 . 2009-10-11 00:36 -------- d-----w- c:\program files\Garmin GPS Plugin
2009-10-11 00:36 . 2009-10-11 00:36 -------- d-----w- c:\program files\DIFX
2009-10-11 00:36 . 2009-10-11 00:36 -------- d-----w- c:\program files\Garmin
2009-10-04 16:47 . 2009-10-04 16:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\DivX
2009-10-04 16:45 . 2005-03-10 01:30 -------- d-----w- c:\program files\DivX
2009-10-04 16:43 . 2009-10-04 16:42 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-09-24 05:01 . 2009-09-24 05:01 19362 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\ranoruna.bin
2009-09-24 05:01 . 2009-09-24 05:01 18143 ----a-w- c:\windows\system32\hajyv.bin
2009-09-24 05:01 . 2009-09-24 05:01 16246 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\atyle.sys
2009-09-24 05:01 . 2009-09-24 05:01 12920 ----a-w- c:\program files\Common Files\hyjer.bin
2009-09-15 14:17 . 2009-09-15 14:17 61760 ----a-w- c:\windows\system32\ASTSRV.EXE
2009-09-11 14:18 . 2004-08-09 04:28 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2008-09-11 23:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2008-09-11 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-09 04:28 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-09 04:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2004-08-09 04:29 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-24 11:54 . 2009-08-24 11:54 152576 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-17 12:09 . 2008-09-28 16:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-17 12:09 . 2008-09-28 16:58 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-17 12:09 . 2008-09-28 16:58 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-16 11:23 . 2005-03-21 03:14 74808 ----a-w- c:\documents and settings\Compaq_Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-11-07 323392]
"NoAds"="c:\program files\NoAds\NoAds.exe" [2009-01-24 122880]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-13 2000112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"Motive SmartBridge"="c:\progra~1\VERIZO~1\SMARTB~1\MotiveSB.exe" [2002-05-18 327680]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 98304]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-11-02 2028312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-02 148888]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-17 12:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Cisco Systems VPN Client.lnk
backup=c:\windows\pss\Cisco Systems VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup=c:\windows\pss\Compaq Connections.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Reality Fusion GameCam SE.lnk
backup=c:\windows\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online Support Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Verizon Online Support Center.lnk
backup=c:\windows\pss\Verizon Online Support Center.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SvcProc"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"iPodService"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/10/2009 4:44 PM 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/28/2008 11:58 AM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/28/2008 11:59 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [10/12/2009 9:24 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 9:24 PM 74480]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/28/2008 11:58 AM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/28/2008 11:58 AM 297752]
R2 eSpecBny;eSpecBny;c:\windows\system32\drivers\eSpecBny.sys [4/16/2005 10:17 PM 12768]
R2 NitroDriverReadSpool;NitroPDFDriverCreatorReadSpool;c:\program files\Nitro PDF\Professional\NitroPDFDriverService.exe [9/15/2009 9:20 AM 188736]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 9:24 PM 7408]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [8/11/2006 11:17 PM 31872]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-11-12 c:\windows\Tasks\User_Feed_Synchronization-{FA52ACB5-D121-48F9-A804-19D062F7D852}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sovereignbank.com/default.asp
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\8wu5bpzd.default\
FF - prefs.js: browser.startup.homepage - Star Wars Combine - Free Online Role-Playing Simulation Game
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)
HKLM-Run-VTTimer - VTTimer.exe
Notify-WgaLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-11-13 18:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x84CA9A80]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x84ca9a80
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1768)
c:\windows\system32\WININET.dll
c:\program files\NoAds\NoAds.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-13 18:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 23:13

Pre-Run: 79,441,772,544 bytes free
Post-Run: 79,165,968,384 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=,1,2,3,4
- - End Of File - - FA4AA66C85744D4256606DCB6D41D30D

evilfantasy · 11-13-2009, 06:39 PM

Quote:

MBAM.EXE - unable to load compontent

This application failed to start because MSVBVM60.DLL was not found. Reinstalling the application may fix this problem.

That's Malwarebytes. You may need to reinstall it.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

- O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

Horchheimer · 11-13-2009, 07:30 PM

I'm unable to fire off HJT

HijackThis.EXE - unable to load component

This application failed to start because MSVBVM60.DLL was not found. Reinstalling the application may fix this problem.

I'm also unable to uninstall or reinstall Malwarebytes due to the same error message.

Should I attempt the MBR Rootkit Detector still?

evilfantasy · 11-13-2009, 07:35 PM

Go ahead and run MBR and post the log. Let's take care of that first.

Horchheimer · 11-13-2009, 07:39 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

evilfantasy · 11-13-2009, 07:41 PM

Try this. Restart the computer when it's done and try HijackThis again.

Reinstall the Microsoft VB6 Runtime components. Download them here: Download VB6 Runtimes

Horchheimer · 11-13-2009, 07:57 PM

ok, restarted, tried it again, didn't work. I reinstalled the VB6 componets, rebooted, and was able to fire off HJT and clear out that one line. Here's the newest log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:58:57 PM, on 11/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ASTSRV.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Advertising Your Business with Yahoo! Search Marketing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Personal Banking | Sovereign Bank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Advertising Your Business with Yahoo! Search Marketing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] "C:\Program Files\Verizon\McciTrayApp.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/s...0Installer.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsof...?1195331261796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1195331236187
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.dotphoto.com/ImageUploader4.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - Free Antivirus Tools - Trend Micro USA
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\ASTSRV.EXE
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NitroPDFDriverCreatorReadSpool (NitroDriverReadSpool) - Nitro PDF Software - C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 11053 bytes

evilfantasy · 11-13-2009, 08:01 PM

Missed something.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

----------

How is the computer running now?