Jump to content

Malwarebytes, Avira and Panda will not start or update


Recommended Posts

Help!

Malwarebytes hangs up at starting to scan and will not exit without turning off the computer. Won't progress at all - even if left alone for 48 hours. It also will not update.

HijackThis has stalled during installation - the top of the screen says O4 - Registry & Start Menu autoruns...... The blue bar is about 80% across.

Avira will not update or run.

Panda Active Scan will not run. Nor will their Antivirus 2009.

Spybot does update and run - keeps finding Virtumonde - which I delete and restart the computer.

Other programs often do not load or run.

The internet is running very slowly and the toolbar at the bottom of the screen often disappears and the computer must be rebooted to restore.

Please let me know if you need any further information and what I should do.

Thanks a million!!

Link to post
Share on other sites

  • Root Admin

Okay if MBAM won't run please take a look at the following posts and see if they help or not.

Potential Malware infection issues to review to get MBAM running

If that does not work then please try this.

Small util to randomize the name of MBAM.EXE

randmbam.exe

Post back and let me know how it goes.

Link to post
Share on other sites

I tried all of that.

Nothing worked.

I was not sure about the rootrepeal so the generated log is:

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/05/20 14:55

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP2

==================================================

Hidden/Locked Files

-------------------

Path: Volume C:\

Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\etilqs_eupI3vzDlTUMWIa4LeG0

Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\plugtmp-154\plugin-gameEnd.xml

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\3YKFJ5WP\=25;S=245;B=1;B=26;B=73;B=100;VS=3;dir=newsnode;dir=news;kw=emailsend;pos=a

d2;sz=728x90;ad=lb;rs=10020;rs=10086;rss=n;poe=no;page=section;tile=2;ord=110695

3

89214264690

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\9FBZX102\activity;src=916414;met=1;v=1;pid=12847824;aid=29252626;ko=0;cid=15533393;r

id=15551289;rv=1;&timestamp=1143422818227;eid1=2;ecn1=1;etm1=6;eid2=1004;ecn2=1;etm2[1].gif

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\FY0739CH\holiday_Lenox_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenu

mZ1QQfromZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2QQsacatZ92QQsaprchi

Z

QQs[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\I1XI7ID4\F;F=74;G=2;S=25;S=245;B=1;B=26;B=73;B=100;VS=3;dir=stylenode;dir=style;kw=u

sl_446;pos=ad7;sz=446x33;ad=fb;rs=98;rss=n;poe=no;page=section;tile=7;ord=911803

4

94365706500

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\JN6JCYBA\activity;src=1125536;met=1;v=1;pid=12920031;aid=30680943;ko=0;cid=15814753;

rid=15832648;rv=1;&timestamp=1144775938342;eid1=2;ecn1=0;etm1=6;eid2=3;ecn2=1;etm2=2[1].gif

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\Q7QZM1MV\161.com%2Fdictionary%2Fmockup&color_line=ff0000&kw_type=broad&kw=mock-up&ad_type=text_image&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-300&u_his=14&u_java=true

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\S103OFOJ\cream-soup_Lenox_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcoitemZ739202068

7QQcopagenumZ1QQfromZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2Q[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YD9YJIXW\cream-soup_Lenox_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcoitemZ739202068

7QQcopagenumZ1QQfrisZ2QQfromZR10QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2QQ[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YD9YJIXW\mansfield_Pottery-Glass_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10

QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2QQsacatZ870QQ[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YD9YJIXW\Type=click&FlightID=8874&AdID=13301&TargetID=1698&Segments=8,100,105,133,277,292,329,532,716,769,899,1037,1509,1576,1645&Targets=1295,1037,1698,678,1280,877,12[1].htm

Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YQRXQMHV\Type=click&FlightID=8952&AdID=13263&TargetID=1254&Segments=5,8,21,100,105,106,164,252,268,329,627,714,898,1039,1360,1402,1404,

1450,1464,1567,1569,1576,1640,166[1].htm

Status: Locked to the Windows API!

Is something in there that I am missing?

Any other ideas??

FYI Malware is hanging up at 3 seconds - when it is enumerating the registry in preparation for the scan. When I initially opened the randomizer file Malware started immediately before I could close any programs and it got to 4 seconds before it went totally blank.

Thanks!

Link to post
Share on other sites

  • Root Admin

Status: MBR Rootkit Detected!

You need to run this and it should fix it. Please use a clean computer to download and burn. Use a friend or work computer if you have to.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the
    Avira AntiVir Rescue System
    from
    here
  • Place a blank CD in your burner and double-click on the downloaded file named
    rescuecd.exe

  • The program will automatically burn the CD for you.

  • Place the burned CD into the affected computer and start the computer from this CD.

  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.

  • Click on the
    Configuration
    button.

    • Select
      Scan all files
    • Select
      Try to repair infected files
      and
      Rename files, if they cannot be removed

    • Select
      Scan for dialers

    • Select
      Scan for joke programs (Jokes)

    • Select
      Scan for games

    • Select
      Scan for spyware (SPR)

    [*]
    Click on
    Virus scanner

    [*]
    Click on
    Start scanner
    at the bottom of the screen

    [*]
    Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings

The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues

  1. Please see the post
    here
    if you're unable to view the entire screen of Avira.
  2. You can also review this one
    Fixed Rescue CD Resolution Probs with Dell Video

  3. Currently only the German keyboard is supported.
    Command Line not working
    English keyboards require work arounds.

  4. Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.

Link to post
Share on other sites

Thanks.

I am wondering if I should still do this in view of recent events on the computer.

I ended up with a screen saying

The system has recovered from a serious error.

ERROR Signature

BCCode:100000dl BCP1:000000000 BCP2:00000002 BCP3:00000000 BCP4:00000000

OSVer:5_1_2600 SO:2_0 Product:256_1

It indicated either a driver issue or a software problem. I checked the drivers with the Dell Driver Reset Tool. The other option they gave was to restore it to a set point. I reset it to the one before the problems began.

Then I rebooted and got the blue screen with IRQL_NOT_LESS_OR_EQUAL with a bunch of codes.

I then rebooted several times and used Spyboot to remove Vundo. I then tried the Avira AntiVir without updates. It scanned and found

Avira AntiVir Personal

Report file date: Thursday, May 21, 2009 17:36

Scanning for 1413622 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic

Serial number: 0000149996-ADJIE-0001

Platform: Windows XP

Windows version: (Service Pack 2) [5.1.2600]

Boot mode: Normally booted

Username: SYSTEM

Computer name: KO1

Version information:

BUILD.DAT : 8.2.0.348 16934 Bytes 3/23/2009 13:44:00

AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26

AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40

LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19

LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:29:38

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:32:40

ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 20:43:06

ANTIVIR3.VDF : 7.1.4.3 17920 Bytes 5/21/2009 20:43:07

Engineversion : 8.2.0.168

AEVDF.DLL : 8.1.1.1 106868 Bytes 5/21/2009 20:43:30

AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/21/2009 20:43:28

AESCN.DLL : 8.1.2.3 127347 Bytes 5/21/2009 20:43:26

AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38

AEPACK.DLL : 8.1.3.16 397686 Bytes 5/21/2009 20:43:15

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 23:48:23

AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/21/2009 20:43:13

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 23:48:20

AEGEN.DLL : 8.1.1.44 348532 Bytes 5/21/2009 20:43:11

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56

AECORE.DLL : 8.1.6.9 176500 Bytes 5/21/2009 20:43:09

AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56

AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05

AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01

AVREP.DLL : 8.0.0.3 155688 Bytes 5/21/2009 20:43:08

AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40

AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23

AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49

SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02

SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40

NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10

RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07

RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:

Jobname..........................: Complete system scan

Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp

Logging..........................: low

Primary action...................: interactive

Secondary action.................: ignore

Scan master boot sector..........: on

Scan boot sector.................: on

Boot sectors.....................: C:,

Process scan.....................: on

Scan registry....................: on

Search for rootkits..............: off

Scan all files...................: All files

Scan archives....................: on

Recursion depth..................: 20

Smart extensions.................: on

Macro heuristic..................: on

File heuristic...................: medium

Start of the scan: Thursday, May 21, 2009 17:36

The scan of running processes will be started

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '0' Module(s) have been scanned

Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned

Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned

Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned

Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned

Scan process 'USB_ImationFlashDetect.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'realsched.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'reader_sl.exe' - '1' Module(s) have been scanned

Scan process 'qttask.exe' - '1' Module(s) have been scanned

Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned

Scan process 'igfxpers.exe' - '1' Module(s) have been scanned

Scan process 'hkcmd.exe' - '1' Module(s) have been scanned

Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned

Scan process 'ccRegVfy.exe' - '1' Module(s) have been scanned

Scan process 'ccApp.exe' - '1' Module(s) have been scanned

Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'avwsc.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'ccEvtMgr.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

38 processes with 38 modules were scanned

Starting master boot sector scan:

Master boot sector HD0

[iNFO] No virus was found!

Start scanning boot sectors:

Boot sector 'C:\'

[iNFO] No virus was found!

Starting to scan the registry.

The registry was scanned ( '59' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\hiberfil.sys

[WARNING] The file could not be opened!

C:\pagefile.sys

[WARNING] The file could not be opened!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1244\A0155420.dll

[DETECTION] Is the TR/Agent.bxhx Trojan

[NOTE] The file was deleted!

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1244\A0155421.exe

[DETECTION] Is the TR/Dldr.Agent.bxhx Trojan

[NOTE] The file was deleted!

C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.core.dll

[DETECTION] Is the TR/Agent.bxhx Trojan

[NOTE] The file was deleted!

C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.exe

[DETECTION] Is the TR/Dldr.Agent.bxhx Trojan

[NOTE] TR/Dldr.Agent.bxhx:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cc9b6bee]

[NOTE] TR/Dldr.Agent.bxhx:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_cc9b6bee]

[NOTE] The file was deleted!

End of the scan: Thursday, May 21, 2009 19:29

Used time: 1:52:46 Hour(s)

The scan has been done completely.

18174 Scanning directories

833763 Files were scanned

4 viruses and/or unwanted programs were found

0 Files were classified as suspicious:

4 files were deleted

0 files were repaired

0 files were moved to quarantine

0 files were renamed

2 Files cannot be scanned

833757 Files not concerned

14672 Archives were scanned

2 Warnings

4 Notes

After this it was able to update and the scan was run again with no detections.

After rebooting, Malwarebytes worked for scanning. It found

Malwarebytes' Anti-Malware 1.35

Database version: 1923

Windows 5.1.2600 Service Pack 2

5/21/2009 8:33:03 PM

mbam-log-2009-05-21 (20-33-03).txt

Scan type: Quick Scan

Objects scanned: 86418

Time elapsed: 9 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

After rebooting, Malwarebytes was updated and the scan rerun with one infection found and taken care of. The log is

Malwarebytes' Anti-Malware 1.36

Database version: 2164

Windows 5.1.2600 Service Pack 2

5/21/2009 8:43:03 PM

mbam-log-2009-05-21 (20-43-03).txt

Scan type: Quick Scan

Objects scanned: 100386

Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\lunegogu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I have since updated and rerun all of the scans. No more detections or infections. The computer is working great.

If you think I should still go through the other process, please let me know.

I assume that this was due to a software program that my 8 year old installed without permission to even use the computer. The restore deleted the installed program.

Thanks again!!!

Link to post
Share on other sites

  • Root Admin

Looks pretty good. I'd suggest the following be run.

You may have corrupted files on your disk. Please try running the following.

First close ALL Applications as this routine will automatically restart your computer.

Click on START - RUN and copy / paste the following entry into the box and click OK

CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30

Then run the following which will help us to see what might still be on the box.

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Thanks!!

I followed your instructions.

The DDS.txt is:

DDS (Ver_09-05-14.01) - NTFSx86

Run by klo at 17:04:20.81 on Wed 05/27/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.656 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PCT-SAFE\Firebird\Bin\fbguard.exe

C:\PCT-SAFE\Firebird\Bin\fbserver.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe

C:\Documents and Settings\KLO.IPLS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ixquick.com/eng/

uSearch Page = hxxp://www.google.com

uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz

uSearch Bar = hxxp://www.google.com/ie

mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz

mDefault_Search_URL = hxxp://www.google.com/ie

mStart Page = hxxp://www.dell4me.com/mywaybiz

uInternet Connection Wizard,ShellNext = iexplore

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {68222a89-715b-48df-80ba-f103481aaca5} - No File

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: {9e166ea2-cab4-49e1-9f57-3054bbc2e9ed} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

uRun: [Aim6]

uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl

uRun: [Regscan] c:\windows\system32\regscan.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy - 1-62\TeaTimer.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [DXDllRegExe] c:\windows\system32\dxdllreg.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

StartupFolder: c:\docume~1\klo~1.ipl\startm~1\programs\startup\imatio~1.lnk - c:\documents and settings\klo.ipls\local settings\temp\imation\USB_ImationFlashDetect.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: fedex.com\www

Trusted Zone: saas-elearn.org

Trusted Zone: theiplawgroup.com\mail

DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab

DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab

DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128752109638

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: awtqo - c:\windows\system32\awtqo.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: wwbkqg.dll neyvcx.dll zvvqos.dll c:\windows\system32\nakukaji.dll c:\windows\system32\nogezote.dll c:\windows\system32\gefuvura.dll c:\windows\system32\nowelafo.dll c:\windows\system32\rijikoyi.dll c:\windows\system32\dudipore.dll c:\windows\system32\tenihisu.dll ,

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli c:\windows\system32\tenihisu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\klo~1.ipl\applic~1\mozilla\firefox\profiles\ufvj2z9r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/

FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-3 28544]

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-26 11840]

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-26 68865]

R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-26 151297]

R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\firebird\bin\fbguard.exe -s --> c:\pct-safe\firebird\bin\fbguard.exe -s [?]

R2 FireBirdServer;FireBird Database Server;c:\pct-safe\firebird\bin\fbserver.exe -s -g --> c:\pct-safe\firebird\bin\fbserver.exe -s -g [?]

R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [2008-3-16 4224]

R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-26 52032]

S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]

S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-10-2 2944]

S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-10-2 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2008-10-2 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2008-10-2 10368]

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2005-9-23 116078]

=============== Created Last 30 ================

2009-05-23 08:23 <DIR> --d----- c:\windows\system32\KB905474

2009-05-21 16:25 283,648 -------- c:\windows\system32\dllcache\pdh.dll

2009-05-21 16:25 60,416 -------- c:\windows\system32\dllcache\colbact.dll

2009-05-21 16:25 35,328 -------- c:\windows\system32\dllcache\sc.exe

2009-05-21 16:25 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-21 16:25 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-21 16:25 110,592 -------- c:\windows\system32\dllcache\services.exe

2009-05-21 16:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-05-20 10:45 <DIR> --d----- c:\program files\common files\Panda Security

2009-05-16 21:04 388,608 a------- c:\windows\system32\cmd.execf

2009-05-16 21:04 <DIR> --d----- C:\32788R22FWJFW(2)

2009-05-16 21:04 <DIR> --d----- C:\Combo-fix.exe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-29 01:41 499,712 a------- c:\windows\system32\msvcp71.dll

2009-03-29 01:41 348,160 a------- c:\windows\system32\msvcr71.dll

2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll

2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll

2009-03-02 19:52 1,495,552 a------- c:\windows\system32\dllcache\shdocvw.dll

2008-07-09 13:35 3,902,784 a------- c:\documents and settings\klo.ipls\gosetup.exe

2006-11-14 21:23 56,912 a------- c:\documents and settings\klo.ipls\g2mdlhlpx.exe

2005-07-13 00:35 151,040 a------- c:\program files\common files\MSVCRT.MSM

2004-12-13 21:17 1,001,472 a------- c:\program files\common files\VFP9RptApps.msm

2004-12-13 21:17 4,595,712 a------- c:\program files\common files\Vfp9Runtime.msm

2009-02-03 04:13 134,379 a--sh--- c:\windows\system32\ehjcrz.dll

0000-00-00 00:00 2,048 a--sh--- c:\windows\system32\fevahiva.dll

2009-01-26 12:13 140,955 a--sh--- c:\windows\system32\jlpsoq.dll

2009-01-26 12:13 140,955 a--sh--- c:\windows\system32\kenayiba.dll

2009-02-02 04:13 135,464 a--sh--- c:\windows\system32\litijihi.dll

2009-01-31 04:12 135,263 a--sh--- c:\windows\system32\mrfohd.dll

2009-01-31 16:12 135,284 a--sh--- c:\windows\system32\mupdvm.dll

2009-02-03 04:13 134,379 a--sh--- c:\windows\system32\nafazoye.dll

2009-02-01 04:13 135,333 a--sh--- c:\windows\system32\nwlics.dll

2005-10-07 16:21 336,972 a--sh--- c:\windows\system32\oqtwa.bak1

2005-10-11 09:39 338,715 a--sh--- c:\windows\system32\oqtwa.bak2

2009-02-02 04:13 135,464 a--sh--- c:\windows\system32\pivtrt.dll

2009-01-30 16:12 2,098 ---sh--- c:\windows\system32\rurobahe.exe

2009-02-02 16:13 133,822 a--sh--- c:\windows\system32\susisawo.dll

2009-02-01 04:13 135,333 a--sh--- c:\windows\system32\togehupe.dll

2009-02-02 16:13 133,822 a--sh--- c:\windows\system32\wbzrnu.dll

2009-02-01 16:13 135,301 a--sh--- c:\windows\system32\wilawape.dll

============= FINISH: 17:05:42.82 ===============

The Attach.txt is:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 7/8/2005 8:52:18 AM

System Uptime: 5/27/2009 4:56:53 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0TC666

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 2.934 GiB free.

D: is CDROM ()

K: is NetworkDisk (*NT5CSC) - 34 GiB total, 2.934 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1220: 2/27/2009 4:04:52 AM - System Checkpoint

RP1221: 2/28/2009 4:33:53 AM - System Checkpoint

RP1222: 3/1/2009 5:33:53 AM - System Checkpoint

RP1223: 3/2/2009 11:26:21 AM - System Checkpoint

RP1224: 3/3/2009 11:46:10 AM - System Checkpoint

RP1225: 3/6/2009 10:49:25 AM - System Checkpoint

RP1226: 3/8/2009 8:52:56 AM - System Checkpoint

RP1227: 3/15/2009 11:42:40 AM - System Checkpoint

RP1228: 3/16/2009 12:25:19 PM - System Checkpoint

RP1229: 3/17/2009 2:12:43 PM - System Checkpoint

RP1230: 3/19/2009 3:53:44 PM - System Checkpoint

RP1231: 3/23/2009 7:41:09 AM - System Checkpoint

RP1232: 3/24/2009 8:16:46 AM - System Checkpoint

RP1233: 3/25/2009 10:31:16 PM - System Checkpoint

RP1234: 3/27/2009 6:50:03 AM - System Checkpoint

RP1235: 3/28/2009 7:20:49 AM - System Checkpoint

RP1236: 3/30/2009 12:22:07 PM - System Checkpoint

RP1237: 3/31/2009 12:22:38 PM - System Checkpoint

RP1238: 2/28/2009 3:25:15 PM - System Checkpoint

RP1239: 2/28/2009 6:45:38 PM - Software Distribution Service 3.0

RP1240: 3/1/2009 3:00:51 AM - Software Distribution Service 3.0

RP1241: 4/1/2009 3:55:56 PM - Software Distribution Service 3.0

RP1242: 4/2/2009 11:49:32 PM - System Checkpoint

RP1243: 4/4/2009 12:47:49 AM - System Checkpoint

RP1244: 4/5/2009 1:08:03 AM - System Checkpoint

RP1245: 5/21/2009 4:32:40 PM - Restore Operation

RP1246: 5/21/2009 4:43:56 PM - Software Distribution Service 3.0

RP1247: 5/22/2009 8:58:54 PM - Removed Norton AntiVirus 2003

RP1248: 5/23/2009 6:59:14 AM - Software Distribution Service 3.0

RP1249: 5/24/2009 7:56:15 AM - System Checkpoint

RP1250: 5/25/2009 8:56:13 AM - System Checkpoint

RP1251: 5/26/2009 5:58:56 AM - Restore Operation

RP1252: 5/27/2009 1:12:41 AM - System Checkpoint

==== Installed Programs ======================

5500

5500_Help

5500Tour

5500Trb

Adobe Acrobat - Reader 6.0.2 Update

Adobe Acrobat 6.0 Professional

Adobe Flash Player 9 ActiveX

Adobe Flash Player ActiveX

Adobe Reader 6.0.1

Adobe Reader 8.1.2

Adobe Shockwave Player 11.5

AIM 6.0

AiO_Scan

AiOSoftware

Amicus Accounting

Amicus Administrator

Amicus Attorney

Ancient Trijong and Maui Wowee

AOL Instant Messenger

ArcSoft Camera Suite

Avira AntiVir Personal - Free Antivirus

BufferChm

CCScore

Compatibility Pack for the 2007 Office system

Copy

CreativeProjects

CreativeProjectsTemplates

Critical Update for Windows Media Player 11 (KB959772)

CueTour

CutePDF Writer 2.7

Dell Driver Reset Tool

Dell System Restore

Destinations

Director

DocProc

DocumentViewer

DVD Decrypter (Remove Only)

eFax Messenger 4.3

ESSCDBK

ESScore

ESSgui

ESShelp

ESSini

ESSPCD

ESSSONIC

ESSTOOLS

ESSvpaht

ESSvpot

FairCom Crystal Driver

Fax

GdiplusUpgrade

GE UltraCam

HLPIndex

HLPRFO

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

HP Diagnostic Assistant

HP Image Zone 4.2

HP PSC & OfficeJet 4.2

HP Software Update

hpmdtab

HPODiscovery

HPSystemDiagnostics

HyperCam 2

InstantShare

Intel® Extreme Graphics 2 Driver

Intel® PRO Network Adapters and Drivers

Intel® PROSet for Wired Connections

Internet Explorer Default Page

interneTIFF 7.0-Professional (IE Browser)

J2SE Runtime Environment 5.0 Update 12

Java 2 Runtime Environment, SE v1.4.2_03

Java 6 Update 2

Kodak EasyShare software

KSU

LG USB Drivers

LG USB Modem Drivers

LiveReg (Symantec Corporation)

LiveUpdate 3.0 (Symantec Corporation)

Macromedia Flash Player

Malwarebytes' Anti-Malware

Memories Disc Creator 2.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Professional Edition 2003

Microsoft Office Project Professional 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Move Networks Media Player for Internet Explorer

Mozilla Firefox (3.0.10)

Mozilla Thunderbird (1.5.0.8)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

MSXML 6 Service Pack 2 (KB954459)

Norton WMI Update

Notifier

OTtBPSDK

overland

Panda ActiveScan 2.0

PCDADDIN

PCDHELP

PCT-SAFE Editor 1.0

PCT-SAFE Editor 1.98

PCT-SAFE Editor Conversion Components

PCT-SAFE Online Filing

PhotoGallery

PrintScreen

ProductContext

QFolder

Qualxserve Service Agreement

QuickBooks Pro 2005

QuickProjects

QuickTime

Readme

RealPlayer

Scan

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB883939)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB896688)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899588)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB903235)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937143)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB939653)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944338)

Security Update for Windows XP (KB944533)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB947864)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB963027)

SFR

SHASTA

SKIN0001

SkinsHP1

SkinsHP2

SKINXSDK

Spybot - Search & Destroy

Spybot - Search & Destroy 1.4

TrayApp

Unity Web Player

Unload

Update for Windows XP (KB894391)

Update for Windows XP (KB896727)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB933360)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

Update for Windows XP (KB946627)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

VistaPrint Electronic Business Card

VPRINTOL

WebFldrs XP

WebReg

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Live OneCare safety scanner

Windows Media Format 11 runtime

Windows Media Player 10

Windows Media Player 11

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB888310

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893086

WinZip

WIRELESS

WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

5/23/2009 8:23:21 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft PowerPoint 2003 (KB957784).

5/22/2009 6:18:19 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).

5/21/2009 8:46:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde

5/21/2009 4:19:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pavboot

5/21/2009 4:19:00 PM, error: Service Control Manager [7000] - The Windows Management Licence Service service failed to start due to the following error: The system cannot find the file specified.

5/21/2009 4:18:47 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 00000000.

5/21/2009 3:08:05 PM, error: NETLOGON [5719] - No Domain Controller is available for domain IPLS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================

Do you see anything amiss or was the problem fixed with the system restore?

Thank you for all you help in this matter!! It is greatly appreciated!!

Link to post
Share on other sites

  • Root Admin

Yes it shows you're still infected. Please run the following. Will check back on you some time tomorrow.

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Link to post
Share on other sites

Thank you so much.

I followed the instructions.

The ComboFix.txt is:

ComboFix 09-05-26.05 - klo 05/28/2009 14:29.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.664 [GMT -4:00]

Running from: c:\documents and settings\KLO.IPLS\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\IE4 Error Log.txt

c:\windows\system32\abivereg.ini

c:\windows\system32\afehagor.ini

c:\windows\system32\agorenuf.ini

c:\windows\system32\aguguwip.ini

c:\windows\system32\ahobiyoz.ini

c:\windows\system32\amiwutew.ini

c:\windows\system32\bszip.dll

c:\windows\system32\egimanub.ini

c:\windows\system32\ehiledik.ini

c:\windows\system32\ehjcrz.dll

c:\windows\system32\ehuginiz.ini

c:\windows\system32\ehulowod.ini

c:\windows\system32\enekuhen.ini

c:\windows\system32\eperenud.ini

c:\windows\system32\eregozop.ini

c:\windows\system32\etokiwer.ini

c:\windows\system32\ewenomaw.ini

c:\windows\system32\eyahavil.ini

c:\windows\system32\fevahiva.dll

c:\windows\system32\idewatup.ini

c:\windows\system32\ihihepuv.ini

c:\windows\system32\ijarelej.ini

c:\windows\system32\ikosanor.ini

c:\windows\system32\itiwokar.ini

c:\windows\system32\itubuzeh.ini

c:\windows\system32\jgamxv.dll

c:\windows\system32\jlpsoq.dll

c:\windows\system32\kenayiba.dll

c:\windows\system32\litijihi.dll

c:\windows\system32\mrfohd.dll

c:\windows\system32\mupdvm.dll

c:\windows\system32\nafazoye.dll

c:\windows\system32\nwlics.dll

c:\windows\system32\odojivoh.ini

c:\windows\system32\okelefeb.ini

c:\windows\system32\okijilev.ini

c:\windows\system32\open.ico

c:\windows\system32\oqtwa.bak1

c:\windows\system32\oqtwa.bak2

c:\windows\system32\oqtwa.ini

c:\windows\system32\ovojabet.ini

c:\windows\system32\pivtrt.dll

c:\windows\system32\susisawo.dll

c:\windows\system32\togehupe.dll

c:\windows\system32\utofopor.ini

c:\windows\system32\wbzrnu.dll

c:\windows\system32\wilawape.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PASSWORD

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))

.

2009-05-23 12:23 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe

2009-05-23 12:23 . 2009-05-26 05:05 -------- d-----w c:\windows\system32\KB905474

2009-05-23 12:23 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe

2009-05-21 20:25 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll

2009-05-21 20:25 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-05-21 20:25 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll

2009-05-21 20:25 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-21 20:25 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe

2009-05-21 20:25 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-05-21 20:24 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-05-20 14:45 . 2009-05-20 14:45 -------- d-----w c:\program files\Common Files\Panda Security

2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\32788R22FWJFW(2)

2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\Combo-fix.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-27 22:08 . 2009-01-26 15:25 75096 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-26 05:06 . 2005-07-01 13:42 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-05-26 05:05 . 2005-07-01 13:43 -------- d-----w c:\program files\Symantec

2009-05-23 00:59 . 2005-07-01 13:42 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-05-22 00:33 . 2009-02-03 19:01 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-22 00:33 . 2009-03-29 01:20 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-21 20:35 . 2009-02-28 20:55 -------- d-----w c:\program files\Spybot - Search & Destroy - 1-62

2009-05-09 18:03 . 2008-01-20 19:27 -------- d-----w c:\program files\Pony Luv

2009-04-21 01:15 . 2005-07-01 13:36 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-06 19:32 . 2009-02-03 19:01 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 19:32 . 2009-02-03 19:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-06 12:51 . 2006-10-11 14:38 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-05 00:09 . 2009-04-05 00:09 373114 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescript.dll

2009-04-05 00:09 . 2009-04-05 00:09 397687 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aepack.dll

2009-04-05 00:09 . 2009-04-05 00:09 127348 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescn.dll

2009-04-05 00:09 . 2009-04-05 00:09 1700214 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aeheur.dll

2009-04-05 00:09 . 2009-04-05 00:09 340340 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aegen.dll

2009-04-05 00:09 . 2009-04-05 00:09 176502 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aecore.dll

2009-03-29 05:41 . 2006-07-11 22:35 348160 ----a-w c:\windows\system32\msvcr71.dll

2009-03-29 05:41 . 2003-03-19 01:14 499712 ----a-w c:\windows\system32\msvcp71.dll

2009-03-06 14:44 . 2004-08-11 22:00 283648 ----a-w c:\windows\system32\pdh.dll

2005-07-13 04:35 . 2005-07-13 04:35 151040 ----a-w c:\program files\Common Files\MSVCRT.MSM

2004-12-14 01:17 . 2004-12-14 01:17 1001472 ----a-w c:\program files\Common Files\VFP9RptApps.msm

2004-12-14 01:17 . 2004-12-14 01:17 4595712 ----a-w c:\program files\Common Files\Vfp9Runtime.msm

2009-01-30 20:12 . 2009-01-30 20:12 2098 --sh--w c:\windows\system32\rurobahe.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl

"Aim6"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\WINDOWS\\system32\\igfxpers.exe"=

"c:\\WINDOWS\\system32\\WISPTIS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"18499:TCP"= 18499:TCP:PORT_18499

"51066:TCP"= 51066:TCP:PORT_51066

"34892:TCP"= 34892:TCP:PORT_34892

"14363:TCP"= 14363:TCP:PORT_14363

"35711:TCP"= 35711:TCP:PORT_35711

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/3/2009 9:39 AM 28544]

R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\Firebird\Bin\fbguard.exe -s --> c:\pct-safe\Firebird\Bin\fbguard.exe -s [?]

R2 FireBirdServer;FireBird Database Server;c:\pct-safe\Firebird\Bin\fbserver.exe -s -g --> c:\pct-safe\Firebird\Bin\fbserver.exe -s -g [?]

R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [3/16/2008 9:27 PM 4224]

S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]

S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [10/2/2008 10:06 AM 2944]

S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [10/2/2008 10:06 AM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [10/2/2008 10:06 AM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [10/2/2008 10:05 AM 10368]

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [9/23/2005 5:40 PM 116078]

.

Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-23 02:18]

.

- - - - ORPHANS REMOVED - - - -

BHO-{68222a89-715b-48df-80ba-f103481aaca5} - (no file)

BHO-{9e166ea2-cab4-49e1-9f57-3054bbc2e9ed} - (no file)

HKLM-Run-DXDllRegExe - c:\windows\system32\dxdllreg.exe

Notify-awtqo - c:\windows\system32\awtqo.dll

Notify-WgaLogon - (no file)

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ixquick.com/eng/

mStart Page = hxxp://www.dell4me.com/mywaybiz

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: fedex.com\www

Trusted Zone: saas-elearn.org

Trusted Zone: theiplawgroup.com\mail

TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35

DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab

DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab

DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab

DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab

DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab

DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab

FF - ProfilePath - c:\documents and settings\KLO.IPLS\Application Data\Mozilla\Firefox\Profiles\ufvj2z9r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.saas-elearn.org

O15 - Trusted Zone: mail.theiplawgroup.com

O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashionda...eb.1.0.0.21.cab

O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave.com/content/dairydash...eb.1.0.0.12.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave.com/content/cookingda...Web.1.0.0.9.cab

O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180/component/VZWDLManager.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.blackberry.com/html/web/clie...M-PwpClient.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave.com/content/doggiedas...ash.1.0.0.6.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128752109638

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Microsoft DDE+ server (cc9b6bee) - Unknown owner - C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.exe (file missing)

O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe

O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)

--

End of file - 8654 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

Driver::
cc9b6bee
WMSLService

File::
c:\windows\system32\.cc9b6bee\cc9b6bee.exe
c:\windows\inf\svchost.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 03

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

Link to post
Share on other sites

Thanks.

I followed your instructions and the requested logs are:

Combofix Log

ComboFix 09-05-29.01 - klo 05/30/2009 9:36.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.748 [GMT -4:00]

Running from: c:\documents and settings\KLO.IPLS\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))

.

2009-05-28 20:19 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys

2009-05-28 20:07 . 2009-05-28 20:07 -------- d-----w c:\program files\Trend Micro

2009-05-23 12:23 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe

2009-05-23 12:23 . 2009-05-26 05:05 -------- d-----w c:\windows\system32\KB905474

2009-05-23 12:23 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe

2009-05-21 20:25 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll

2009-05-21 20:25 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe

2009-05-21 20:25 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll

2009-05-21 20:25 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-21 20:25 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe

2009-05-21 20:25 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

2009-05-21 20:24 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe

2009-05-20 14:45 . 2009-05-20 14:45 -------- d-----w c:\program files\Common Files\Panda Security

2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\32788R22FWJFW(2)

2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\Combo-fix.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-27 22:08 . 2009-01-26 15:25 75096 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-26 05:06 . 2005-07-01 13:42 -------- d-----w c:\program files\Common Files\Symantec Shared

2009-05-26 05:05 . 2005-07-01 13:43 -------- d-----w c:\program files\Symantec

2009-05-23 00:59 . 2005-07-01 13:42 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-05-22 00:33 . 2009-02-03 19:01 -------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-05-22 00:33 . 2009-03-29 01:20 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-21 20:35 . 2009-02-28 20:55 -------- d-----w c:\program files\Spybot - Search & Destroy - 1-62

2009-05-09 18:03 . 2008-01-20 19:27 -------- d-----w c:\program files\Pony Luv

2009-04-21 01:15 . 2005-07-01 13:36 -------- d--h--w c:\program files\InstallShield Installation Information

2009-04-06 19:32 . 2009-02-03 19:01 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-04-06 19:32 . 2009-02-03 19:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-04-06 12:51 . 2006-10-11 14:38 -------- d-----w c:\program files\Spybot - Search & Destroy

2009-04-05 00:09 . 2009-04-05 00:09 373114 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescript.dll

2009-04-05 00:09 . 2009-04-05 00:09 397687 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aepack.dll

2009-04-05 00:09 . 2009-04-05 00:09 127348 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescn.dll

2009-04-05 00:09 . 2009-04-05 00:09 1700214 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aeheur.dll

2009-04-05 00:09 . 2009-04-05 00:09 340340 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aegen.dll

2009-04-05 00:09 . 2009-04-05 00:09 176502 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aecore.dll

2009-03-29 05:41 . 2006-07-11 22:35 348160 ----a-w c:\windows\system32\msvcr71.dll

2009-03-29 05:41 . 2003-03-19 01:14 499712 ----a-w c:\windows\system32\msvcp71.dll

2009-03-06 14:44 . 2004-08-11 22:00 283648 ----a-w c:\windows\system32\pdh.dll

2005-07-13 04:35 . 2005-07-13 04:35 151040 ----a-w c:\program files\Common Files\MSVCRT.MSM

2004-12-14 01:17 . 2004-12-14 01:17 1001472 ----a-w c:\program files\Common Files\VFP9RptApps.msm

2004-12-14 01:17 . 2004-12-14 01:17 4595712 ----a-w c:\program files\Common Files\Vfp9Runtime.msm

2009-01-30 20:12 . 2009-01-30 20:12 2098 --sh--w c:\windows\system32\rurobahe.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]

"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]

[bU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]

[bU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]

@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl

"Aim6"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\WINDOWS\\system32\\igfxpers.exe"=

"c:\\WINDOWS\\system32\\WISPTIS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"18499:TCP"= 18499:TCP:PORT_18499

"51066:TCP"= 51066:TCP:PORT_51066

"34892:TCP"= 34892:TCP:PORT_34892

"14363:TCP"= 14363:TCP:PORT_14363

"35711:TCP"= 35711:TCP:PORT_35711

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/28/2009 4:19 PM 28544]

R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\Firebird\Bin\fbguard.exe -s --> c:\pct-safe\Firebird\Bin\fbguard.exe -s [?]

R2 FireBirdServer;FireBird Database Server;c:\pct-safe\Firebird\Bin\fbserver.exe -s -g --> c:\pct-safe\Firebird\Bin\fbserver.exe -s -g [?]

R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [3/16/2008 9:27 PM 4224]

S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]

S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [10/2/2008 10:06 AM 2944]

S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [10/2/2008 10:06 AM 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [10/2/2008 10:06 AM 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [10/2/2008 10:05 AM 10368]

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [9/23/2005 5:40 PM 116078]

.

Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-10-11 20:31]

2009-05-29 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-23 02:18]

.

- - - - ORPHANS REMOVED - - - -

BHO-{68222a89-715b-48df-80ba-f103481aaca5} - (no file)

BHO-{9e166ea2-cab4-49e1-9f57-3054bbc2e9ed} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://ixquick.com/eng/

mStart Page = hxxp://www.dell4me.com/mywaybiz

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: fedex.com\www

Trusted Zone: saas-elearn.org

Trusted Zone: theiplawgroup.com\mail

TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35

DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab

DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab

DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab

DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab

DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab

DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab

FF - ProfilePath - c:\documents and settings\KLO.IPLS\Application Data\Mozilla\Firefox\Profiles\ufvj2z9r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/

FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll

FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll

FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://*.saas-elearn.org

O15 - Trusted Zone: mail.theiplawgroup.com

O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashionda...eb.1.0.0.21.cab

O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave.com/content/dairydash...eb.1.0.0.12.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave.com/content/cookingda...Web.1.0.0.9.cab

O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180/component/VZWDLManager.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.blackberry.com/html/web/clie...M-PwpClient.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave.com/content/doggiedas...ash.1.0.0.6.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128752109638

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O20 - Winlogon Notify: awtqo - C:\WINDOWS\

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Microsoft DDE+ server (cc9b6bee) - Unknown owner - C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.exe (file missing)

O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe

O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)

--

End of file - 8752 bytes

DDS Log

DDS (Ver_09-05-14.01) - NTFSx86

Run by klo at 10:00:32.73 on Sat 05/30/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.698 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\PCT-SAFE\Firebird\Bin\fbguard.exe

C:\PCT-SAFE\Firebird\Bin\fbserver.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\mobsync.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\KLO.IPLS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ixquick.com/eng/

mStart Page = hxxp://www.dell4me.com/mywaybiz

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll

BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\klo~1.ipl\startm~1\programs\startup\imatio~1.lnk - c:\documents and settings\klo.ipls\local settings\temp\imation\USB_ImationFlashDetect.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: fedex.com\www

Trusted Zone: saas-elearn.org

Trusted Zone: theiplawgroup.com\mail

DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab

DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab

DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab

DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab

DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab

DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128752109638

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35

Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\klo~1.ipl\applic~1\mozilla\firefox\profiles\ufvj2z9r.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/

FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll

FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll

FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-28 28544]

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-26 11608]

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-26 68865]

R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-26 151297]

R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\firebird\bin\fbguard.exe -s --> c:\pct-safe\firebird\bin\fbguard.exe -s [?]

R2 FireBirdServer;FireBird Database Server;c:\pct-safe\firebird\bin\fbserver.exe -s -g --> c:\pct-safe\firebird\bin\fbserver.exe -s -g [?]

R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [2008-3-16 4224]

R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-26 52056]

S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]

S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-10-2 2944]

S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-10-2 60416]

S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2008-10-2 11008]

S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2008-10-2 10368]

S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2005-9-23 116078]

=============== Created Last 30 ================

2009-05-30 09:34 <DIR> --ds---- C:\ComboFix

2009-05-28 16:19 28,544 a------- c:\windows\system32\drivers\pavboot.sys

2009-05-28 16:07 <DIR> --d----- c:\program files\Trend Micro

2009-05-28 14:26 <DIR> a-dshr-- C:\cmdcons

2009-05-28 14:23 161,792 a------- c:\windows\SWREG.exe

2009-05-28 14:23 154,624 a------- c:\windows\PEV.exe

2009-05-28 14:23 98,816 a------- c:\windows\sed.exe

2009-05-23 08:23 <DIR> --d----- c:\windows\system32\KB905474

2009-05-21 16:25 283,648 -------- c:\windows\system32\dllcache\pdh.dll

2009-05-21 16:25 60,416 -------- c:\windows\system32\dllcache\colbact.dll

2009-05-21 16:25 35,328 -------- c:\windows\system32\dllcache\sc.exe

2009-05-21 16:25 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll

2009-05-21 16:25 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe

2009-05-21 16:25 110,592 -------- c:\windows\system32\dllcache\services.exe

2009-05-21 16:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

2009-05-20 10:45 <DIR> --d----- c:\program files\common files\Panda Security

2009-05-16 21:04 <DIR> --d----- C:\32788R22FWJFW(2)

2009-05-16 21:04 <DIR> --d----- C:\Combo-fix.exe

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-03-29 01:41 499,712 a------- c:\windows\system32\msvcp71.dll

2009-03-29 01:41 348,160 a------- c:\windows\system32\msvcr71.dll

2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll

2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll

2009-03-02 19:52 1,495,552 a------- c:\windows\system32\dllcache\shdocvw.dll

2008-07-09 13:35 3,902,784 a------- c:\documents and settings\klo.ipls\gosetup.exe

2006-11-14 21:23 56,912 a------- c:\documents and settings\klo.ipls\g2mdlhlpx.exe

2005-07-13 00:35 151,040 a------- c:\program files\common files\MSVCRT.MSM

2004-12-13 21:17 1,001,472 a------- c:\program files\common files\VFP9RptApps.msm

2004-12-13 21:17 4,595,712 a------- c:\program files\common files\Vfp9Runtime.msm

2009-01-30 16:12 2,098 ---sh--- c:\windows\system32\rurobahe.exe

============= FINISH: 10:01:23.23 ===============

Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 7/8/2005 8:52:18 AM

System Uptime: 5/30/2009 9:47:21 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0TC666

Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2792/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 3.279 GiB free.

D: is CDROM ()

K: is NetworkDisk (*NT5CSC) - 34 GiB total, 3.279 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1223: 3/2/2009 11:26:21 AM - System Checkpoint

RP1224: 3/3/2009 11:46:10 AM - System Checkpoint

RP1225: 3/6/2009 10:49:25 AM - System Checkpoint

RP1226: 3/8/2009 8:52:56 AM - System Checkpoint

RP1227: 3/15/2009 11:42:40 AM - System Checkpoint

RP1228: 3/16/2009 12:25:19 PM - System Checkpoint

RP1229: 3/17/2009 2:12:43 PM - System Checkpoint

RP1230: 3/19/2009 3:53:44 PM - System Checkpoint

RP1231: 3/23/2009 7:41:09 AM - System Checkpoint

RP1232: 3/24/2009 8:16:46 AM - System Checkpoint

RP1233: 3/25/2009 10:31:16 PM - System Checkpoint

RP1234: 3/27/2009 6:50:03 AM - System Checkpoint

RP1235: 3/28/2009 7:20:49 AM - System Checkpoint

RP1236: 3/30/2009 12:22:07 PM - System Checkpoint

RP1237: 3/31/2009 12:22:38 PM - System Checkpoint

RP1238: 2/28/2009 3:25:15 PM - System Checkpoint

RP1239: 2/28/2009 6:45:38 PM - Software Distribution Service 3.0

RP1240: 3/1/2009 3:00:51 AM - Software Distribution Service 3.0

RP1241: 4/1/2009 3:55:56 PM - Software Distribution Service 3.0

RP1242: 4/2/2009 11:49:32 PM - System Checkpoint

RP1243: 4/4/2009 12:47:49 AM - System Checkpoint

RP1244: 4/5/2009 1:08:03 AM - System Checkpoint

RP1245: 5/21/2009 4:32:40 PM - Restore Operation

RP1246: 5/21/2009 4:43:56 PM - Software Distribution Service 3.0

RP1247: 5/22/2009 8:58:54 PM - Removed Norton AntiVirus 2003

RP1248: 5/23/2009 6:59:14 AM - Software Distribution Service 3.0

RP1249: 5/24/2009 7:56:15 AM - System Checkpoint

RP1250: 5/25/2009 8:56:13 AM - System Checkpoint

RP1251: 5/26/2009 5:58:56 AM - Restore Operation

RP1252: 5/27/2009 1:12:41 AM - System Checkpoint

RP1253: 5/28/2009 1:39:42 AM - System Checkpoint

RP1254: 5/29/2009 8:15:37 AM - System Checkpoint

==== Installed Programs ======================

5500

5500_Help

5500Tour

5500Trb

Adobe Acrobat - Reader 6.0.2 Update

Adobe Acrobat 6.0 Professional

Adobe Flash Player 9 ActiveX

Adobe Flash Player ActiveX

Adobe Reader 6.0.1

Adobe Reader 8.1.2

Adobe Shockwave Player 11.5

AIM 6.0

AiO_Scan

AiOSoftware

Amicus Accounting

Amicus Administrator

Amicus Attorney

Ancient Trijong and Maui Wowee

AOL Instant Messenger

ArcSoft Camera Suite

Avira AntiVir Personal - Free Antivirus

BufferChm

CCScore

Compatibility Pack for the 2007 Office system

Copy

CreativeProjects

CreativeProjectsTemplates

Critical Update for Windows Media Player 11 (KB959772)

CueTour

CutePDF Writer 2.7

Dell Driver Reset Tool

Dell System Restore

Destinations

Director

DocProc

DocumentViewer

DVD Decrypter (Remove Only)

eFax Messenger 4.3

ESSCDBK

ESScore

ESSgui

ESShelp

ESSini

ESSPCD

ESSSONIC

ESSTOOLS

ESSvpaht

ESSvpot

FairCom Crystal Driver

Fax

GdiplusUpgrade

GE UltraCam

HijackThis 2.0.2

HLPIndex

HLPRFO

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB952287)

HP Diagnostic Assistant

HP Image Zone 4.2

HP PSC & OfficeJet 4.2

HP Software Update

hpmdtab

HPODiscovery

HPSystemDiagnostics

HyperCam 2

InstantShare

Intel® Extreme Graphics 2 Driver

Intel® PRO Network Adapters and Drivers

Intel® PROSet for Wired Connections

Internet Explorer Default Page

interneTIFF 7.0-Professional (IE Browser)

J2SE Runtime Environment 5.0 Update 12

Java 2 Runtime Environment, SE v1.4.2_03

Java 6 Update 2

Kodak EasyShare software

KSU

LG USB Drivers

LG USB Modem Drivers

LiveReg (Symantec Corporation)

LiveUpdate 3.0 (Symantec Corporation)

Macromedia Flash Player

Malwarebytes' Anti-Malware

Memories Disc Creator 2.0

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Office Professional Edition 2003

Microsoft Office Project Professional 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Move Networks Media Player for Internet Explorer

Mozilla Firefox (3.0.10)

Mozilla Thunderbird (1.5.0.8)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 Parser and SDK

MSXML 6 Service Pack 2 (KB954459)

Norton WMI Update

Notifier

OTtBPSDK

overland

Panda ActiveScan 2.0

PCDADDIN

PCDHELP

PCT-SAFE Editor 1.0

PCT-SAFE Editor 1.98

PCT-SAFE Editor Conversion Components

PCT-SAFE Online Filing

PhotoGallery

PrintScreen

ProductContext

QFolder

Qualxserve Service Agreement

QuickBooks Pro 2005

QuickProjects

QuickTime

Readme

RealPlayer

Scan

Security Update for CAPICOM (KB931906)

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 11 (KB954154)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB883939)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB896688)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899588)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB903235)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937143)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB939653)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944338)

Security Update for Windows XP (KB944533)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB947864)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB963027)

SFR

SHASTA

SKIN0001

SkinsHP1

SkinsHP2

SKINXSDK

Spybot - Search & Destroy

Spybot - Search & Destroy 1.4

TrayApp

Unity Web Player

Unload

Update for Windows XP (KB894391)

Update for Windows XP (KB896727)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB933360)

Update for Windows XP (KB936357)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

Update for Windows XP (KB946627)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

VistaPrint Electronic Business Card

VPRINTOL

WebFldrs XP

WebReg

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Live OneCare safety scanner

Windows Media Format 11 runtime

Windows Media Player 10

Windows Media Player 11

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB888310

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893086

WinZip

WIRELESS

WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

5/30/2009 9:49:24 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.

5/30/2009 9:49:24 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

5/28/2009 2:29:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

5/25/2009 5:05:56 PM, error: Service Control Manager [7000] - The Windows Management Licence Service service failed to start due to the following error: The system cannot find the file specified.

5/25/2009 5:04:37 PM, error: NETLOGON [5719] - No Domain Controller is available for domain IPLS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

5/23/2009 8:57:53 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).

5/23/2009 8:23:21 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft PowerPoint 2003 (KB957784).

==== End Of File ===========================

Link to post
Share on other sites

  • Root Admin

STEP 01

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

AtJob::

Driver::
cc9b6bee
WMSLService
awtqo

Folder::
C:\32788R22FWJFW(2)

File::
c:\windows\system32\rurobahe.exe
c:\windows\system32\.cc9b6bee\cc9b6bee.exe
c:\windows\inf\svchost.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

CFScript.gif

  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

With all other applications closed (Taskbar empty), open HijackThis again

and run Do a system scan only and place a check mark on the following items.

  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
  • O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
  • O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
  • O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • O20 - Winlogon Notify: awtqo - C:\WINDOWS\
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 03

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 04

Please uninstall the following software.

Panda ActiveScan 2.0 Anti-Virus software used before and is still loading driver. Your AV appears to be Avira now so please remove this one. Control Panel, Add/Remove

These versions of Adobe Acrobat are potentially exploited. I would recommend removal and install the latest 9.1.1 Adobe Reader. Then also check for Adobe updates for critical security updates.

Adobe Acrobat - Reader 6.0.2 Update

Adobe Reader 6.0.1

Adobe Reader 8.1.2

Same here... Flash player should be removed and updated to 10.x from Adobe

Adobe Flash Player 9 ActiveX

Nothing wrong here, just seems an odd program for a Law Office :-)

DVD Decrypter (Remove Only)

These are all from Symantec / Norton but I don't see their main programs on the system anymore. If you had Norton AV or similar before and no longer using then you can remove these 3 items.

LiveReg (Symantec Corporation)

LiveUpdate 3.0 (Symantec Corporation)

Norton WMI Update

One or both of these versions are old and should be removed and updated if you want to continue to use them.

DO NOT use the TEA TIMER though. In fact just leave Spybot alone until we're all done.

Spybot - Search & Destroy

Spybot - Search & Destroy 1.4

These Java versions have been exploited and need to be removed.

J2SE Runtime Environment 5.0 Update 12

Java 2 Runtime Environment, SE v1.4.2_03

Java

Link to post
Share on other sites

Thank you, thank you, thank you!!

I tried to follow your instructions, but have had some problems/questions.

STEP 01

Done

STEP 02

Done

However could not find

O4 - HKLM\..\ RunOnce: [Malware . . . .

O20 - Winlogon Notify . . . .

STEP 03

MBAM Log

Malwarebytes' Anti-Malware 1.37

Database version: 2199

Windows 5.1.2600 Service Pack 2

5/31/2009 3:55:28 AM

mbam-log-2009-05-31 (03-55-28).txt

Scan type: Quick Scan

Objects scanned: 98421

Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:56:10 AM, on 5/31/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\PCT-SAFE\Firebird\Bin\fbguard.exe

C:\PCT-SAFE\Firebird\Bin\fbserver.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.saas-elearn.org

O15 - Trusted Zone: mail.theiplawgroup.com

O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashionda...eb.1.0.0.21.cab

O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave.com/content/dairydash...eb.1.0.0.12.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave.com/content/cookingda...Web.1.0.0.9.cab

O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180/component/VZWDLManager.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.blackberry.com/html/web/clie...M-PwpClient.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave.com/content/doggiedas...ash.1.0.0.6.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128752109638

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe

O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 7866 bytes

FYI - The Shockwave stuff can go - the kids are not supposed to be using my computer for this.

STEP 04

Panda ActiveScan 2.0 - removed

Adobe Acrobat - Reader 6.0.2 Update - removed

Adobe Reader 6.0.1 - removed

Adobe Reader 8.1.2 - removed

DVD Decrypter - my son needed this for school Just work from home (IP Law - patent, trademark, international) where possible to spend as much time with the kids while they are still kids. I am a ChemE and frustrated with hubby's IT department which "cleaned" my computer early this year after it locked up - upon return found and deleted an additional 189 viruses/trojans. I am now trying to do it myself. :) In my copious spare time of course. I just do not know how you do this. But I am EXTREMELY grateful.

LiveReg - removed

LiveUpdate3.0 - removed

Norton WMI Update - removed

Spybot - left alone for now

J2SE Runtime Environment 5.0 Update 12 - NOT FOUND

Java 2 Runtime Environment, SE v1.4.2_03 - removed

Java 6 Update 2 - removed

Used JavaRa and removed all but the "Sun" folders as they could not be found.

STEP 05

Ran CCleaner - On step for Registry - did not see uncheck Registry Integrity - so unchecked all

STEP 06

Done - after each step I did this - just using an over abundance of caution - also do this after each scan.

STEP 07

Did not do yet.

They had Update 14, Update 13 HavaFX SDK, Update 13 Java EE, and Update 13 Netbeans 6.5.1.

Which do I use??

Also will Acrobat and Acrobat Flash shortly. After all this junk is cleared up and you give the go ahead.

THANKS, THANKS, THANKS!!

FriscoGirl

From Frisco, NC - not the city by the bay. Though both are absolutely gorgeous.

Link to post
Share on other sites

  • Root Admin

Great, those other errors and missing items are due to the other program removing them for us so no issue there.

How is the computer running now? Are there still any signs of an infection?

Yes it seems Java updated to 14 a couple days ago. Here is an updated message for that.

Download and Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

After you do that then lets do an Online AV scan to make sure nothing else is found.

This will take a while to download and run so get a snack and some coffee

Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Link to post
Share on other sites

The computer is running much better. I can now update and run Avira and Malwarebytes. I can now also access My Computer and the Control Panel. Firefox keeps crashing - perhaps it is just a feature of Firefox. But it seems more secure than IE.

What do I do now??

The Kaspersky Log is

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Monday, June 1, 2009

Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Monday, June 01, 2009 08:41:31

Records in database: 2289664

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 94504

Threat name: 5

Infected objects: 31

Suspicious objects: 0

Duration of the scan: 03:14:56

File name / Threat name / Threats count

C:\Documents and Settings\KLO.IPLS\Desktop\Programs\SUPPORT.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 2

C:\Qoobox\Quarantine\C\WINDOWS\system32\ehjcrz.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiy 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\jgamxv.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\jlpsoq.dll.vir Infected: Packed.Win32.Krap.p 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\kenayiba.dll.vir Infected: Packed.Win32.Krap.p 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\litijihi.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\mrfohd.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\mupdvm.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\nafazoye.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiy 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\nwlics.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\pivtrt.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\togehupe.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\wilawape.dll.vir Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1235\A0108707.dll Infected: Trojan-Downloader.Win32.Agent.bhjb 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1235\A0108708.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1235\A0108709.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1244\A0142351.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1246\A0160005.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0162992.dll Infected: Trojan-Downloader.Win32.Agent.bhiy 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163008.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163009.dll Infected: Packed.Win32.Krap.p 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163010.dll Infected: Packed.Win32.Krap.p 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163011.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163012.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163013.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163014.dll Infected: Trojan-Downloader.Win32.Agent.bhiy 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163015.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163021.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163023.dll Infected: Trojan.Win32.Agent.bqeg 1

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163026.dll Infected: Trojan.Win32.Agent.bqeg 1

The selected area was scanned.

HJT Log is

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:50:52 AM, on 6/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\PCT-SAFE\Firebird\Bin\fbguard.exe

C:\PCT-SAFE\Firebird\Bin\fbserver.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\java.exe

C:\Documents and Settings\KLO.IPLS\Local Settings\temp\jkos-klo\binaries\ScanningProcess.exe

C:\WINDOWS\system32\WISPTIS.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.saas-elearn.org

O15 - Trusted Zone: mail.theiplawgroup.com

O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave.com/content/fashionda...eb.1.0.0.21.cab

O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave.com/content/dairydash...eb.1.0.0.12.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install/00/alttiff.cab

O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave.com/content/cookingda...Web.1.0.0.9.cab

O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180/component/VZWDLManager.cab

O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.blackberry.com/html/web/clie...M-PwpClient.cab

O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cab

O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave.com/content/doggiedas...ash.1.0.0.6.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128752109638

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com

O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe

O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--

End of file - 7873 bytes

Link to post
Share on other sites

  • Root Admin

All looks good now.

Those items that Kaspersky found were normal. They were already removed or sitting in the System Restore so make sure you clean out the System Restore as shown below. As for Firefox crashing I would export out the bookmarks and then start uninstalling any plugins and see how it starts to run. If still problematic then do a full uninstall and ensure that all profiles are also removed. Then download the latest version and reinstall it. If you're still having issues with it then open a NEW post in the PC Help forum and we can take a closer look at that.

You can also uninstall the Kaspersky now.

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

  • Click
    START
    then
    RUN
  • Now type
    Combofix /u
    (if you renamed Combofix.exe use that name instead)
    in the runbox and click OK. Note the
    space
    between the
    X
    and the
    /U
    , it needs to be there.

  • CF_Cleanup.png


  • When shown the disclaimer, Select "2"

Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed

STEP B

Uninstall GMER

Click on
START - RUN
and type in or copy/paste
%windir%\gmer_uninstall.cmd
to remove GMER.

STEP C

Uninstall other tools

Please
Download
OTMoveIt3
by Old Timer
and save it to your
Desktop
.
  • Double-click
    OTMoveIt3.exe
    to run it.
  • While connected to the Internet, Click on the green
    CleanUp!
    button and it will populate a list of items to clean from your system that we used or may have used.

  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.

    NOW
    please reboot your computer to finish the cleanup process

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".
  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.
  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

  • Root Admin

You're quite welcome.

I highly recommend that you update to Service Pack 3 for Windows XP using the full download version. SP3 Full

Then after Service Pack 3 I'd upgrade to IE7 as its more secure. Even if you want to upgrade to IE8 I would install IE7 first before IE8 just in case.

Be careful and watch the Windows Update as it will attempt to install IE8 so don't let it. Choose to download IE7 download

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.