Jump to content

Am I doing Something Wrong


Recommended Posts

I know everyone that helps here is a volunteer and very kind to help out and I appreciate that very much. My only reason for writing this New Topic is to find out if I have done something wrong or not done something right to get a response. I submitted a topic on October 29th and I have not heard from anyone. I have seen others with similar problems getting help since then. Am I not doing something I am supposed to? I have a very nasty trojan that malwarebytes can't get rid of. It identifies them on the scan but does not remove them. I get the message that the infected files will be removed on reboot but that doesn't happen. They come right back. I am also running Avira Anti-vir and I had to shut off Anti-Vir Guard because it just kept finding two files it says was a trojan but no matter what action I took, the Trojans just kept coming back. The anti-vir guard announcements were taking over my computer. I'm not sure what I should do. Please help someone. Here are the latest logs:

MBAM log

Malwarebytes' Anti-Malware 1.41

Database version: 3098

Windows 5.1.2600 Service Pack 2

11/4/2009 10:12:36 AM

mbam-log-2009-11-04 (10-12-24).txt

Scan type: Quick Scan

Objects scanned: 160680

Time elapsed: 42 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 6

Registry Keys Infected: 2

Registry Values Infected: 6

Registry Data Items Infected: 9

Folders Infected: 3

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\jijejamu.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\pilipeho.dll (Trojan.Vundo) -> No action taken.

c:\WINDOWS\system32\tesavohi.dll (Trojan.Vundo) -> No action taken.

c:\WINDOWS\system32\mupapupe.dll (Trojan.Vundo.H) -> No action taken.

c:\WINDOWS\system32\jifetahi.dll (Trojan.Vundo) -> No action taken.

c:\WINDOWS\system32\bezayedo.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f2de254c-d327-48bb-b0f0-104071c95a6c} (Trojan.Vundo) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{87f808a5-db44-456b-a51f-bc33f6bc8bfb} (Trojan.Vundo.H) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lejuvivoh (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{f2de254c-d327-48bb-b0f0-104071c95a6c} (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kujasaset (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{87f808a5-db44-456b-a51f-bc33f6bc8bfb} (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zovuminaw (Trojan.Vundo.H) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nozehorune (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\tesavohi.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\tesavohi.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mupapupe.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mupapupe.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\jifetahi.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\jifetahi.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\bezayedo.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\bezayedo.dll -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Program Files\dynamic toolbar (Adware.2020search) -> No action taken.

C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> No action taken.

C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> No action taken.

Files Infected:

c:\WINDOWS\system32\mupapupe.dll (Trojan.Vundo.H) -> No action taken.

C:\WINDOWS\system32\jijejamu.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\pilipeho.dll (Trojan.Vundo) -> No action taken.

c:\WINDOWS\system32\tesavohi.dll (Trojan.Vundo) -> No action taken.

c:\WINDOWS\system32\jifetahi.dll (Trojan.Vundo) -> No action taken.

c:\WINDOWS\system32\bezayedo.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\buloreke.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\daluwimo.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\torayiya.dll (Trojan.Vundo) -> No action taken.

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:13:40 AM, on 11/4/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\system32\Smtray.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\Program Files\DateInTray\DateInTray.exe

C:\Palm\HOTSYNC.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: (no name) - {5f414075-a602-4ca4-a231-4b799c981ba4} - fakugupu.dll (file missing)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [lejuvivoh] Rundll32.exe "c:\windows\system32\tesavohi.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: office.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm

O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com

O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab

O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab

O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab

O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab

O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com

O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com

O20 - AppInit_DLLs: c:\windows\ c:\windows\system32\fiworize.dll c:\windows\system32\rofenima.dll jijejamu.dll c:\windows\system32\pogobiwu.dll c:\windows\system32\hefihiru.dll c:\windows\system32\jifetahi.dll c:\windows\system32\tesavohi.dll c:\windows\system32\bezayedo.dll c:\windows\system32\mupapupe.dll

O21 - SSODL: goyuvukiz - {3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll

O21 - SSODL: kujasaset - {f2de254c-d327-48bb-b0f0-104071c95a6c} - c:\windows\system32\mupapupe.dll

O22 - SharedTaskScheduler: jugezatag - {3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll

O22 - SharedTaskScheduler: kupuhivus - {f2de254c-d327-48bb-b0f0-104071c95a6c} - c:\windows\system32\mupapupe.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 14674 bytes

Link to post
Share on other sites

Hello johnnyt, and welcome to Malwarebytes! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

you didn't do anything wrong... its just staff members are few through out the malware community, and there are many people looking for help. Sometimes we just get so busy, and unfortunately some do slip through the cracks. When we are done I will close your other topic, so keep all replies in this topic here.

Please do the following...

ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

===============================================

Needed in your next reply:

Combofix log

And let me know how things are running now :)

Link to post
Share on other sites

First of all, thank you so much for helping me BHowett. I completely understand about being busy. I certainly wasn't being impatient, I just thought I may have offended someone or wrote my topic wrong...anyhow, thanks for your help.

I ran combofix and unless it is my imagination, everything seems to be running really well. Much faster. Combofix ran for about 2 and a half hours. Not sure if that is good or bad, but nonetheless, here is the log:

ComboFix 09-11-04.02 - Catherine 11/04/2009 18:29.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.157 [GMT -5:00]

Running from: c:\documents and settings\Catherine\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\TRNSLG03.XLS

c:\program files\Dynamic Toolbar

c:\windows\compaq.reg

c:\windows\desktop

c:\windows\desktop\Compaq Knowledge Center.lnk

c:\windows\Downloaded Program Files\CONFLICT.1\RDXIE.DLL

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\Downloaded Program Files\RdxIE.dll

c:\windows\jestertb.dll

c:\windows\system\oeminfo.ini

c:\windows\system32\bezayedo.dll

c:\windows\system32\bitoduze.dll

c:\windows\system32\Cache

c:\windows\system32\hefihiru.dll

c:\windows\system32\jifetahi.dll

c:\windows\system32\jijejamu.dll

c:\windows\system32\mupapupe.dll

c:\windows\system32\pilipeho.dll

c:\windows\system32\pogobiwu.dll

c:\windows\system32\tesavohi.dll

c:\windows\Tasks\vvnfgxeg.job

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://gateway.digitalmusicnotebook.com

hxxp://77.74.48.111

.

((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))

.

2009-11-02 15:05 . 2009-11-02 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2009-10-28 20:44 . 2009-10-28 20:44 -------- d-----w- c:\program files\Trend Micro

2009-10-28 13:04 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-10-28 13:04 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-10-28 13:04 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-10-28 13:04 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-10-28 13:04 . 2009-10-28 13:04 -------- d-----w- c:\program files\Avira

2009-10-28 13:04 . 2009-10-28 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-10-27 12:43 . 2009-10-27 12:43 -------- d-----w- c:\documents and settings\Catherine\Application Data\Malwarebytes

2009-10-27 12:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-27 12:40 . 2009-10-27 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-27 12:40 . 2009-11-04 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-27 12:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-05 01:03 . 2009-11-05 00:44 3671 ----a-w- c:\windows\compaq.reg

2009-10-28 21:47 . 2002-08-25 15:41 -------- d-----w- c:\program files\Common Files\Symantec Shared

2009-10-28 21:47 . 2002-08-25 15:41 -------- d-----w- c:\program files\Symantec

2009-10-28 21:09 . 2002-08-25 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec

2009-10-28 12:12 . 2003-12-06 02:30 -------- d-----w- c:\program files\Dell AIO Printer A920

2009-10-14 18:49 . 2006-11-03 14:59 59 ----a-w- c:\windows\wpd99.drv

2009-10-14 18:49 . 2006-11-03 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2009-10-02 10:03 . 2009-03-19 13:28 -------- d-----w- c:\program files\Microsoft Silverlight

2009-10-01 12:37 . 2009-10-01 12:37 -------- d-----w- c:\program files\Microsoft

2009-09-29 17:35 . 2004-01-20 13:07 119520 ----a-w- c:\documents and settings\Catherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-29 17:35 . 2009-09-29 17:35 -------- d-----w- c:\documents and settings\Catherine\Application Data\LogSys

2009-09-29 17:35 . 2009-09-29 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\LogSys

2009-09-29 17:32 . 2009-09-29 16:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}

2009-09-29 17:32 . 2009-09-29 17:32 -------- d-----w- c:\program files\Blueberry Consultants

2009-09-29 17:25 . 2009-09-29 17:25 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-09-29 17:23 . 2009-09-29 17:23 -------- d-----w- c:\program files\MSBuild

2009-09-29 17:22 . 2009-09-29 17:22 -------- d-----w- c:\program files\Reference Assemblies

2009-09-29 16:31 . 2008-07-28 14:22 -------- d-----w- c:\program files\monitor

2009-09-24 12:04 . 2009-09-23 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-15 19:33 . 2009-09-15 18:58 -------- d-----w- c:\documents and settings\Catherine\Application Data\Verizon

2009-09-15 18:56 . 2009-09-15 18:56 -------- d-----w- c:\program files\Verizon

2009-09-12 21:12 . 2005-08-09 17:46 -------- d-----w- c:\documents and settings\Catherine\Application Data\Apple Computer

2009-09-12 20:53 . 2009-09-12 20:51 -------- d-----w- c:\program files\iTunes

2009-09-12 20:53 . 2009-09-12 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-09-12 20:52 . 2005-08-09 17:44 -------- d-----w- c:\program files\iPod

2009-09-12 20:51 . 2007-07-19 18:23 -------- d-----w- c:\program files\Common Files\Apple

2009-09-12 20:46 . 2009-09-12 20:45 -------- d-----w- c:\program files\QuickTime

2009-09-12 20:32 . 2009-09-12 20:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe

2009-08-31 17:12 . 2009-08-31 17:09 256 ----a-w- c:\windows\system32\pool.bin

2009-08-31 17:08 . 2009-08-31 17:08 10134 ----a-r- c:\documents and settings\Catherine\Application Data\Microsoft\Installer\{62880A3B-2F9C-4C58-8FFA-1DA280262B5E}\ARPPRODUCTICON.exe

2009-08-26 12:42 . 2009-08-26 12:42 152576 ----a-w- c:\documents and settings\Catherine\Application Data\Sun\Java\jre1.6.0_15\lzma.dll

2009-08-23 12:53 . 2008-01-25 12:07 2406160 ----a-w- c:\documents and settings\Catherine\Application Data\1&1\1&1 EasyLogin\update\EasyLogin_setup_US.exe

2009-08-10 05:22 . 2009-09-29 17:32 2710905 -c--a-w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}\Blueberry PDF Form Filler Setup.exe

2009-08-10 05:21 . 2009-09-29 17:20 380928 -c--a-w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}\OFFLINE\1B3DF940\21E1A0D9\Blueberry PDF Form Filler.exe

2003-06-30 21:40 . 2003-06-30 21:40 0 ----a-w- c:\program files\meta.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

2008-10-03 15:19 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]

"Mobipocket Reader Notifications"="c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe" [2006-06-20 57344]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]

"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-08-18 2200576]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]

"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="NvQTwk" [X]

"CPQEASYACC"="c:\program files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 28672]

"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 131072]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]

"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]

"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-17 655360]

"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]

"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-03-27 180269]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-19 1836544]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\newone.exe" [2009-09-10 1312080]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"Smapp"="Smtray.exe" - c:\windows\system32\SMTray.exe [2001-06-01 224256]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\User\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-8-9 299008]

PowerReg Scheduler V3.exe [2002-12-29 225280]

c:\documents and settings\Catherine\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-8-9 299008]

PowerReg Scheduler V3.exe [2008-10-3 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2006-2-15 78848]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

office.exe [2009-6-25 121207]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

"c:\\WINDOWS\\system32\\ftp.exe"=

"c:\\Program Files\\COMPAQ\\WinDVD\\WinDVD.exe"=

"c:\\Program Files\\FTR\\FTR Gold\\FTRReporter.exe"=

"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\WINDOWS\\system32\\regsvr32.exe"=

"c:\\Program Files\\Malwarebytes' Anti-Malware\\newone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"135:TCP"= 135:TCP:*:Disabled:TheRecord DCOM Port

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/28/2009 8:04 AM 108289]

R2 X4HS16;X4HS16;c:\program files\EXEtender\X4HS16.sys [8/19/2003 8:00 PM 19691]

S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]

S2 WinRT;WinRT Toolkit Generic Driver;c:\windows\system32\drivers\WinRT.sys [2/24/2005 1:38 PM 99360]

S3 Gcr432;Gcr432;c:\windows\system32\drivers\Gcr432.sys [9/6/2001 1:05 PM 89371]

S3 hwi4857;Duo Digital Media Player;c:\windows\system32\drivers\hwi4857.sys [1/31/2003 9:29 PM 10532]

S3 Otis;Audible Otis Service;c:\windows\system32\drivers\OtisPlay.sys [3/8/2003 7:26 AM 9472]

S3 PortRst;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [1/29/2002 5:33 PM 12721]

S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [4/28/2002 1:25 PM 36404]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]

2001-12-26 c:\windows\Tasks\Registration reminder 2.job

- c:\windows\System32\OOBE\oobebaln.exe [2001-12-13 07:56]

2001-12-26 c:\windows\Tasks\Registration reminder 3.job

- c:\windows\System32\OOBE\oobebaln.exe [2001-12-13 07:56]

2009-11-04 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-25 17:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.lesliehale.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=

uInternet Settings,ProxyOverride = <local>;*.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm

IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB

DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/01017a2d3f98e0e93b21/netzip/RdxIE601.cab

DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab

DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab

.

- - - - ORPHANS REMOVED - - - -

BHO-{5f414075-a602-4ca4-a231-4b799c981ba4} - fakugupu.dll

HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe

HKLM-Run-WorksFUD - (no file)

SharedTaskScheduler-{3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll

SSODL-goyuvukiz-{3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-04 19:37

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3368)

c:\progra~1\WINDOW~3\wmpband.dll

c:\program files\Tech\Wheel Mouse\5.0\MOUDL32A.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\windows\System32\SCardSvr.exe

c:\windows\System32\PackethSvc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\System32\drivers\CDAC11BA.EXE

c:\program files\Compaq\Compaq Advisor\bin\compaq-rba.exe

c:\windows\system32\inetsrv\inetinfo.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\windows\System32\nvsvc32.exe

c:\windows\system32\pctspk.exe

c:\program files\Compaq\Easy Access Button Support\CPQEADM.EXE

c:\compaq\CPQINET\CPQInet.exe

c:\compaq\EAKDRV\EAUSBKBD.EXE

c:\progra~1\Compaq\EASYAC~1\BttnServ.exe

c:\program files\Dell AIO Printer A920\dlbkbmon.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\Compaq\COMPAQ~1\bin\nda.exe

.

**************************************************************************

.

Completion time: 2009-11-05 20:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-05 01:36

Pre-Run: 23,978,127,360 bytes free

Post-Run: 25,562,042,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Just let me know what you want me to do next, if anything. Have a good one!

Link to post
Share on other sites

By the way, I just ran another quick scan with malwarebytes and this is the log. It still caught some adware but I am guessing that has something to do with the REAL bar. Not sure how it showed up but its there. Any ideas on how to get rid of it? Thanks

Malwarebytes' Anti-Malware 1.41

Database version: 3098

Windows 5.1.2600 Service Pack 2

11/4/2009 9:03:55 PM

mbam-log-2009-11-04 (21-03-55).txt

Scan type: Quick Scan

Objects scanned: 139045

Time elapsed: 13 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 3

Files Infected: 15

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> Quarantined and deleted successfully.

Files Infected:

C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble16.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\celebs.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\gotb.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\highlight.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuff.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuffsm.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\movies.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\music.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\news.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\ngames.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\radio.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\REALBARTB0115.cfg (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\rollingstone.bmp (Adware.2020search) -> Quarantined and deleted successfully.

C:\Program Files\dynamic toolbar\REALBAR\Cache\sports.bmp (Adware.2020search) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi BHowett,

I just wanted to let you know that I have done all that you asked in the previous post EXCEPT the online scan. I ran it twice and each time is just stopped scanning. The first time after about 3 hours! I ran it again and it lasted about 50 minutes and then stopped. I knew it stopped because the time counter stopped. Anyhow, I'm going to run it again today and post the log as soon as it finishes (I hope). I am copying the other 2 logs you asked for.

OTM log:

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.

File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Catherine

->Temp folder emptied: 2064562 bytes

->Temporary Internet Files folder emptied: 45916225 bytes

->Java cache emptied: 140982071 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: John Tomasi

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: johntomasi

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

->Java cache emptied: 1405131 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 49286 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Owner

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: tomasijo

User: User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1143523 bytes

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp folder deleted successfully.

%systemroot% .tmp files removed: 1119049 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

Windows Temp folder emptied: 664 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 183.79 mb

OTM by OldTimer - Version 3.0.0.6 log created on 11052009_115531

Files moved on Reboot...

File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.

File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:37:14 AM, on 11/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\WINDOWS\system32\Smtray.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DateInTray\DateInTray.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: office.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm

O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com

O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab

O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab

O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab

O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab

O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com

O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--

End of file - 13900 bytes

So far everything is still running great. Shutdown last night was a little weird but I figured that may have had something to do with the online scan.

Thanks

Link to post
Share on other sites

Hello again,

yeah sometimes the online scans don't want to play right :) lets do the following...

Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: office.exe

O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm

O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

===============================================

OTM by OldTimer

  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Processes
    explorer.exe

    :Services

    :Reg

    :Files
    C:\Program Files\AskBarDis
    C:\Program Files\Common Files\Real\Toolbar
    C:\Program files\Lexico
    :Commands
    [purity]
    [emptytemp]
    [Reboot]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..

===============================================

Update Java

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Upgrading Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

===============================================

Now try the Kaspersky WebScanner, please post the OTM log, Fresh HijackThis log, and Kaspersky WebScanner results in your next reply :)

Link to post
Share on other sites

Well, I've tried 3 more times to get the Kaspersky online scan to work and each time it hangs up. This time around 40-50 minutes into the scan. In case it is important, it hangs up after finding 1 suspicious item and 1 threat. The point it seems to hang up is when it is checking my Outlook Express mail. This info may be meaningless but I thought I would pass it on. By the way, I did all of the other things you suggested including removing old Java stuff and upgrading to the version you suggested. I am posting the latest Hijackthis and OTM logs.

Fresh Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:15:40 PM, on 11/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\System32\PackethSvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\System32\drivers\CDAC11BA.EXE

C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

C:\WINDOWS\system32\Smtray.exe

C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE

C:\COMPAQ\CPQINET\CPQInet.exe

C:\Compaq\EAKDRV\EAUSBKBD.EXE

C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DateInTray\DateInTray.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)

O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll

O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll

O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [smapp] Smtray.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com

O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab

O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab

O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab

O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab

O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com

O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--

End of file - 13117 bytes

And latest OTM log:

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\Program Files\AskBarDis\bar\Settings moved successfully.

C:\Program Files\AskBarDis\bar\History moved successfully.

C:\Program Files\AskBarDis\bar\Cache moved successfully.

C:\Program Files\AskBarDis\bar\bin moved successfully.

C:\Program Files\AskBarDis\bar moved successfully.

C:\Program Files\AskBarDis moved successfully.

C:\Program Files\Common Files\Real\Toolbar moved successfully.

C:\Program files\Lexico\Toolbar moved successfully.

C:\Program files\Lexico moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Catherine

->Temp folder emptied: 101620585 bytes

->Temporary Internet Files folder emptied: 58711902 bytes

->Java cache emptied: 128020 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: John Tomasi

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: johntomasi

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Java cache emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: Owner

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: tomasijo

User: User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

Windows Temp folder emptied: 41624 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 153.10 mb

OTM by OldTimer - Version 3.0.0.6 log created on 11062009_094143

Files moved on Reboot...

Registry entries deleted on Reboot...

Should I keep trying the Kaspersky online scan until it goes all the way through?

Link to post
Share on other sites

Should I keep trying the Kaspersky online scan until it goes all the way through?

No I think its a problem with Kaspersky, since I have other users that can't get it to work either. We can try something diffrent.....

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Link to post
Share on other sites

Okay that one did the trick. Here is the log:

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2009-11-06 22:46:26

PROTECTIONS: 1

MALWARE: 33

SUSPECTS: 2

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

AntiVir Desktop 9.0.1.32 No No

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00096188 spyware/searchcentrix Spyware No 1 Yes No hkey_current_user\software\dynamic toolbar

00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@doubleclick[2].txt

00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@atdmt[1].txt

00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@mediaplex[2].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@ad.yieldmanager[2].txt

00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@apmebf[1].txt

00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@advertising[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\user\application data\mozilla\profiles\default\gruwvscv.slt\cookies.txt[.realmedia.com/]

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@questionmarket[2].txt

00327373 Adware/ZapSpot Adware No 0 Yes No c:\documents and settings\user\application data\zapspot\system\etc\p3ofrmgr.exe

00327375 Adware/ZapSpot Adware No 0 Yes No c:\documents and settings\user\application data\zapspot\zapspot.exe

00527204 Application/PRScheduler HackTools No 0 Yes No c:\documents and settings\user\start menu\programs\startup\powerreg scheduler v3.exe

00527204 Application/PRScheduler HackTools No 0 Yes No c:\program files\trend micro\hijackthis\backups\backup-20091106-093813-913-powerreg scheduler v3.exe

00527204 Application/PRScheduler HackTools No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1761\a0123670.exe

00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\jestertb.dll.vir

00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123364.dll

00816208 Adware/eZula Adware No 0 Yes No c:\windows\system32\macromed\shockwave 8\xtras\download\thegroovealliance\3dgroovextrav18\groove.x32

00966839 Spyware/Virtumonde Spyware No 1 Yes No c:\program files\viewpoint\viewpoint media player\components\swfview.dll

01692698 Generic Malware Virus/Trojan No 0 Yes No c:\documents and settings\catherine\application data\macromedia\shockwave player\xtras\download\thegroovealliance\3dgroovextrav181\groove.x32

02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123381.sys

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123373.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\bezayedo.dll.vir

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\jijejamu.dll.vir

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pilipeho.dll.vir

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pogobiwu.dll.vir

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123366.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123370.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122918.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123297.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123230.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122897.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122898.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122899.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122946.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1755\a0122959.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122907.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123294.dll

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123372.dll

05513284 Generic Malware Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122916.exe

05556201 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122945.dll

05561639 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123296.dll

05574594 Trj/KillAV.FJ Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123282.dll

05580568 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\bitoduze.dll.vir

05580568 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123367.dll

05580619 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\tesavohi.dll.vir

05580619 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123374.dll

05581703 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123295.dll

05583456 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123371.dll

05583456 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\mupapupe.dll.vir

05584138 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122947.dll

05585794 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\qoobox\quarantine\c\windows\system32\jifetahi.dll.vir

05585794 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123369.dll

05586992 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123283.dll

05587894 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123334.dll

05593361 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123302.dll

05594594 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123292.dll

05595149 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\hefihiru.dll.vir

05595149 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123368.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location

;===============================================================================

================================================================================

=

===================

No c:\program files\electronic arts\need for speed - porsche unleashed\porsche.exe

No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123335.dll

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description

;===============================================================================

================================================================================

=

===================

214076 HIGH MS09-059

971486 HIGH MS09-058

214074 HIGH MS09-057

214073 HIGH MS09-056

214072 HIGH MS09-055

214071 HIGH MS09-054

213109 HIGH MS09-046

212494 HIGH MS09-042

212493 HIGH MS09-041

212490 HIGH MS09-038

212530 HIGH MS09-034

211784 HIGH MS09-032

211781 HIGH MS09-029

210625 HIGH MS09-026

210624 HIGH MS09-025

210621 HIGH MS09-022

210618 HIGH MS09-019

208380 HIGH MS09-015

208379 HIGH MS09-014

208378 HIGH MS09-013

208377 HIGH MS09-012

206981 HIGH MS09-007

206980 HIGH MS09-006

204670 HIGH MS09-001

203806 HIGH MS08-078

203508 HIGH MS08-073

203505 HIGH MS08-071

202465 HIGH MS08-068

201683 HIGH MS08-067

201258 HIGH MS08-066

201256 HIGH MS08-064

201255 HIGH MS08-063

201253 HIGH MS08-061

201250 HIGH MS08-058

209275 HIGH MS08-049

209273 HIGH MS08-045

196455 MEDIUM MS08-037

194862 HIGH MS08-032

194861 HIGH MS08-031

194860 HIGH MS08-030

191618 HIGH MS08-025

191617 HIGH MS08-024

191616 HIGH MS08-023

191614 HIGH MS08-021

191613 HIGH MS08-020

;===============================================================================

================================================================================

=

===================

I'll await your next set of instructions.

Have a good night.

Link to post
Share on other sites

Hi johnnyt,

Well done, your log appears clean... the only bad things found are already in quarantine or system restore, and the next step will take care of cleaning those out.

Now lets uninstall Combofix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
    CF_Cleanup.png

===============================================

Click Here to download OTC

Double-click OTC.exe to run it.

Click the Clean up button

Click Yes to the reboot.

Now delete any logs that you have left over on your desktop.

===============================================

For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.

To find out more information about how you got infected in the first place, you can read this article.

===============================================

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!

Link to post
Share on other sites

I can't thank you enough BHowett. You have been courteous, patient, and very helpful. I thought I had a disaster on my hand and you handled with confidence and speed. I dropped a little donation into your account. It's small but my thanks are big. Have a good weekend!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.