uncleferassi Posted March 11, 2010 ID:212848 Share Posted March 11, 2010 Help!!I think Trojan.Vundo is preventing me from using malwarebytes and giving me google redirects. I renamed the Mbam.exe to something else and i scanned for viruses. I got 3 registry values that were infected. It said Malwarebytes removed it but when i scanned it again, it was still there. Malwarebyte log is attached to this message.Here is my Hijackme log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:11:12 PM, on 3/10/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeD:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeD:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\System32\svchost.exeD:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXED:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\Program Files\PeerBlock\peerblock.exeD:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Documents and Settings\ielizaga\Application Data\mdply3d\mdply3d.exeC:\WINDOWS\system32\rundll32.exeD:\Program Files\Mozilla Firefox 3.6 Beta 5\firefox.exeD:\Program Files\Internet Download Manager\IDMan.exeD:\Program Files\Internet Download Manager\IEMonitor.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0O1 - Hosts: 74.208.105.171 gs.apple.comO1 - Hosts: 74.208.10.249 gs.apple.comO2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dllO2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - D:\Program Files\Search Toolbar\tbcore3.dllO3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - D:\Program Files\Search Toolbar\tbcore3.dllO4 - HKLM\..\Run: [soundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeO4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [vtusqpsys] rundll32.exe "iihebx.dll",DllRegisterServerO4 - HKLM\..\Run: [mlkhgddrv] rundll32.exe "tutqpn.dll",sO4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [mdply3d] C:\Documents and Settings\ielizaga\Application Data\mdply3d\mdply3d.exeO4 - HKCU\..\Run: [bywxwtdrv] rundll32.exe "tutqpn.dll",sO4 - HKUS\S-1-5-18\..\Run: [khggfcsys] rundll32.exe "iihebx.dll",DllRegisterServer (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [khggfcsys] rundll32.exe "iihebx.dll",DllRegisterServer (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')O4 - Startup: StartupFasterO4 - Global Startup: StartupFasterO8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htmO8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htmO8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO15 - Trusted Zone: http://download.windowsupdate.comO15 - Trusted Zone: http://*.windowsupdate.comO16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1263780057268O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1260315087266O17 - HKLM\System\CCS\Services\Tcpip\..\{2669867D-E237-4792-8BC4-BE18FACE753C}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CCS\Services\Tcpip\..\{FD99B04C-CFE4-4D74-8C55-21BA7183A524}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.comO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = us.oracle.comO17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = us.oracle.comO20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exeO23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe--End of file - 8026 bytesmbam_log_2010_03_10__17_32_20_.txt Link to post Share on other sites More sharing options...
Kenny94 Posted March 11, 2010 ID:212957 Share Posted March 11, 2010 Hi uncleferassi And Looking over your log it seems you don't have any evidence of an anti-virus software.Anti-virus software are programs that detect cleans and erase harmful virus files on a computerWeb server or network. Unchecked virus files can unintentionally be forwarded to others including trading partners and thereby spreading infection. Because new viruses regularly emerge anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present and will clean delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:Avira AntiVir Personal - Free anti-virus software for Windows. Detects and removes more than 50000 viruses. Free support.avast! 5 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.With that done, please post back with a fresh HiJackThis log. Link to post Share on other sites More sharing options...
uncleferassi Posted March 12, 2010 Author ID:213321 Share Posted March 12, 2010 I installed avast and did a full scan and got 2 trojans. I removed them but i still can't open malwarebytes without doing the renaming the exe trick. Help!I also scanned with ComboFix and Superantispyware and it didn't fix it. Link to post Share on other sites More sharing options...
uncleferassi Posted March 12, 2010 Author ID:213322 Share Posted March 12, 2010 here's a new hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:44:30 PM, on 3/11/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeD:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\spoolsv.exeD:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeC:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeD:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeC:\WINDOWS\System32\svchost.exeD:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exeC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\Explorer.EXED:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\Program Files\PeerBlock\peerblock.exeD:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Documents and Settings\ielizaga\Application Data\mdply3d\mdply3d.exeC:\WINDOWS\system32\rundll32.exeD:\Program Files\Mozilla Firefox 3.6 Beta 5\firefox.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0O1 - Hosts: 74.208.105.171 gs.apple.comO1 - Hosts: 74.208.10.249 gs.apple.comO2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dllO2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - D:\Program Files\Search Toolbar\tbcore3.dllO3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - D:\Program Files\Search Toolbar\tbcore3.dllO4 - HKLM\..\Run: [soundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeO4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [wvvttqsys] rundll32.exe "tusrpp.dll",DllRegisterServerO4 - HKLM\..\Run: [xxxvuudrv] rundll32.exe "urppnl.dll",sO4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [mdply3d] C:\Documents and Settings\ielizaga\Application Data\mdply3d\mdply3d.exeO4 - HKCU\..\Run: [byvtrpdrv] rundll32.exe "urppnl.dll",sO4 - HKUS\S-1-5-18\..\Run: [tuvsttsys] rundll32.exe "tusrpp.dll",DllRegisterServer (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [tuvsttsys] rundll32.exe "tusrpp.dll",DllRegisterServer (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')O4 - Startup: StartupFasterO4 - Global Startup: StartupFasterO8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htmO8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htmO8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO15 - Trusted Zone: http://download.windowsupdate.comO15 - Trusted Zone: http://*.windowsupdate.comO16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1263780057268O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1260315087266O17 - HKLM\System\CCS\Services\Tcpip\..\{2669867D-E237-4792-8BC4-BE18FACE753C}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CCS\Services\Tcpip\..\{FD99B04C-CFE4-4D74-8C55-21BA7183A524}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.comO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = us.oracle.comO17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = us.oracle.comO20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exeO23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe--End of file - 7967 bytes Link to post Share on other sites More sharing options...
Kenny94 Posted March 12, 2010 ID:213324 Share Posted March 12, 2010 Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tabSet to Always ask me where to Save the files.[*]During the download, rename Combofix to Combo-Fix as follows:[*]It is important you rename Combofix during the download, but not after.[*]Please do not rename Combofix to other names, but only to the one indicated.[*]Close any open browsers.[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers.WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------[*]Double click on combo-Fix.exe & follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the C:\Combo-Fix.txt for further review.**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall** Link to post Share on other sites More sharing options...
uncleferassi Posted March 12, 2010 Author ID:213331 Share Posted March 12, 2010 Here is my combofix log:ComboFix 10-03-11.02 - Tommy 03/11/2010 17:59:56.5.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1526.983 [GMT -8:00]Running from: d:\documents and settings\ielizaga\My Documents\Downloads\Combo-Fix.exe.((((((((((((((((((((((((( Files Created from 2010-02-12 to 2010-03-12 ))))))))))))))))))))))))))))))).2010-03-11 23:43 . 2010-03-11 23:43 97280 -c-ha-w- c:\windows\system32\urppnl.dll2010-03-11 23:22 . 2010-03-11 23:22 97280 -c-ha-w- c:\windows\system32\rqpoli.dll2010-03-11 23:17 . 2010-03-11 23:17 89600 -c-ha-w- c:\windows\system32\tusrpp.dll2010-03-11 23:17 . 2010-03-11 23:17 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\dmnvmcDirect2010-03-11 06:03 . 2010-03-11 06:03 96768 -c-ha-w- c:\windows\system32\fcbcbc.dll2010-03-11 05:54 . 2010-03-11 05:54 -------- d-----w- d:\program files\Alwil Software2010-03-11 03:08 . 2010-03-11 03:08 -------- d-----w- d:\program files\Trend Micro2010-03-11 02:39 . 2010-03-11 02:39 96768 -c-ha-w- c:\windows\system32\tutqpn.dll2010-03-10 18:40 . 2010-03-10 18:40 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\catp2pgfx2010-03-10 18:40 . 2010-03-11 23:17 78367 -c--a-w- c:\documents and settings\ielizaga\pod60.exe2010-03-10 14:42 . 2010-03-10 14:42 96768 -c-ha-w- c:\windows\system32\ssrspp.dll2010-03-10 05:53 . 2010-03-10 05:53 96768 -c-ha-w- c:\windows\system32\rqonnm.dll2010-03-10 04:54 . 2010-03-10 04:54 96768 -c-ha-w- c:\windows\system32\urroll.dll2010-03-10 03:31 . 2010-01-27 02:04 60592 -c--a-w- c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\update.exe2010-03-10 03:31 . 2010-01-27 02:04 46256 -c--a-w- c:\documents and settings\All Users\Application Data\Toolbar4\{0C8413C1-FAD1-446C-8584-BE50576F863E}\uninstall.exe2010-03-10 03:31 . 2010-03-10 03:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Toolbar42010-03-10 03:31 . 2010-03-10 04:47 -------- d-----w- d:\program files\Search Toolbar2010-03-10 02:52 . 2010-03-10 02:52 96768 -c-ha-w- c:\windows\system32\wvwvus.dll2010-03-10 00:04 . 2010-03-10 00:04 96768 -c-ha-w- c:\windows\system32\vttqqn.dll2010-03-09 17:19 . 2010-03-09 17:19 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\comodbc3D2010-03-09 15:21 . 2010-03-09 15:21 96768 -c-ha-w- c:\windows\system32\fcywuu.dll2010-03-09 05:17 . 2010-01-08 00:07 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-03-09 05:17 . 2010-01-08 00:07 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys2010-03-09 03:35 . 2010-03-09 03:35 96768 -c-ha-w- c:\windows\system32\yaabxy.dll2010-03-08 15:22 . 2010-03-08 15:22 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\audionvrsClient2010-03-07 05:24 . 2010-03-11 23:56 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\xmlmap972010-03-07 01:10 . 2010-03-07 01:10 -------- d-----w- d:\program files\SystemRequirementsLab2010-03-07 01:10 . 2010-03-07 01:10 85504 -c--a-w- c:\documents and settings\ielizaga\Application Data\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll2010-03-06 04:14 . 2010-03-06 04:14 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll2010-03-06 04:14 . 2010-03-06 04:14 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll2010-03-06 04:14 . 2010-03-06 04:14 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll2010-03-06 00:24 . 2010-03-06 00:24 2284402 -c--a-w- c:\documents and settings\ielizaga\Application Data\IDM\DwnlData\Tommy\setup_av_free_635\setup_av_free.exe2010-03-05 04:37 . 2009-12-17 23:08 30024 -c--a-w- c:\windows\system32\uxtuneup.dll2010-03-05 01:08 . 2010-03-05 01:08 4653870 -c--a-w- c:\documents and settings\ielizaga\Application Data\IDM\DwnlData\Tommy\setup_av_free_632\setup_av_free.exe2010-03-05 01:03 . 2010-03-05 01:04 2101490 -c--a-w- c:\documents and settings\ielizaga\Application Data\IDM\DwnlData\Tommy\avira_antivir_personal_en_631\avira_antivir_personal_en.exe2010-03-03 22:12 . 2010-03-03 22:12 1207722 -c--a-w- c:\documents and settings\ielizaga\Application Data\IDM\DwnlData\Tommy\asc-setup_628\asc-setup.exe2010-03-03 02:19 . 2010-03-03 02:19 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\Cranium2010-03-03 02:18 . 2010-03-03 02:18 25214 -c--a-r- c:\documents and settings\ielizaga\Application Data\Microsoft\Installer\{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}\_E38944F26F8D876B004311.exe2010-03-03 02:18 . 2010-03-03 02:18 10398 -c--a-r- c:\documents and settings\ielizaga\Application Data\Microsoft\Installer\{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}\_6FA99008F6BBB97A091E2D.exe2010-03-03 02:18 . 2010-03-03 02:18 -------- d-----w- d:\program files\iPhoneBrowser2010-03-02 04:51 . 2010-03-02 04:51 -------- dc----r- C:\MSOCache2010-03-02 03:45 . 2010-03-02 03:45 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\Cranium_Consulting_and_Cu2010-03-01 01:15 . 2010-03-01 01:15 -------- dc----w- c:\documents and settings\LocalService\Application Data\GameTracker2010-02-28 18:27 . 2010-02-28 18:27 -------- d-----w- d:\program files\FFmpeg for Audacity2010-02-28 16:55 . 2009-12-11 08:38 69120 -c----w- c:\windows\system32\dllcache\iecompat.dll2010-02-28 16:54 . 2010-02-28 16:54 -------- dc----w- c:\windows\Media2010-02-28 05:54 . 2010-02-28 05:54 -------- d-----w- d:\program files\microsoft frontpage2010-02-28 05:38 . 2010-02-28 05:38 1496576 -c-h--w- c:\windows\system32\wodfamop.dll2010-02-28 02:03 . 2010-03-01 00:36 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Microsoft Games2010-02-28 00:22 . 2010-02-28 00:22 53248 -c--a-r- c:\documents and settings\ielizaga\Application Data\Microsoft\Installer\{9AA761E6-CA51-4FF2-A552-D51638BF0595}\_F522ED7EA612_4117_B86D_78467DE01E30.exe2010-02-27 23:28 . 2010-02-27 23:28 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Grasssoft2010-02-27 23:28 . 2010-02-28 00:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Grasssoft2010-02-27 18:30 . 2010-02-27 18:30 -------- d-----w- d:\program files\CrisisX2010-02-27 18:13 . 2010-02-27 18:13 -------- dc----w- c:\documents and settings\All Users\Application Data\Speedbit2010-02-27 08:42 . 2010-02-27 08:42 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\WinZip2010-02-27 08:41 . 2010-02-27 17:26 -------- dc----w- c:\documents and settings\All Users\Application Data\WinZip2010-02-27 07:22 . 2010-02-27 07:52 -------- dc----w- c:\documents and settings\All Users\Application Data\Alwil Software2010-02-27 04:08 . 2010-02-27 04:08 -------- dc----w- c:\program files\Common Files\DivX Shared2010-02-26 02:20 . 2010-02-26 02:20 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\SupportSoft2010-02-26 02:20 . 2010-02-26 02:20 -------- dc----w- c:\program files\Common Files\SupportSoft2010-02-25 05:42 . 2010-02-25 06:13 -------- dc----w- c:\documents and settings\All Users\Application Data\Systweak2010-02-25 05:40 . 2010-02-25 06:13 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Systweak2010-02-25 05:40 . 2010-02-25 05:40 -------- dc----w- c:\documents and settings\All Users\Application Data\MyDefrag2010-02-25 02:28 . 2010-02-25 02:28 -------- dc----w- C:\Diskeeper2010-02-24 01:29 . 2008-06-20 17:46 245248 -c----w- c:\windows\system32\dllcache\mswsock.dll2010-02-24 01:29 . 2008-06-20 17:46 147968 -c----w- c:\windows\system32\dllcache\dnsapi.dll2010-02-24 01:29 . 2008-06-20 11:08 225856 -c----w- c:\windows\system32\dllcache\tcpip6.sys2010-02-23 15:43 . 2010-02-24 04:19 -------- d-----w- d:\program files\Microsoft Works2010-02-23 15:42 . 2010-02-23 15:42 -------- d-----w- d:\program files\Microsoft.NET2010-02-23 04:57 . 2009-11-11 12:26 557056 -c--a-w- c:\windows\system32\Netw2c32.dll2010-02-23 04:57 . 2009-11-11 12:26 2732032 -c--a-w- c:\windows\system32\Netw2r32.dll2010-02-23 04:51 . 2010-03-07 01:10 -------- dc----w- c:\documents and settings\ielizaga\Application Data\SystemRequirementsLab2010-02-23 04:51 . 2010-02-23 04:51 88576 -c--a-w- c:\documents and settings\ielizaga\Application Data\SystemRequirementsLab\srlproxy_intel_4_1_47_0_d.dll2010-02-23 04:51 . 2010-02-23 04:51 88576 -c--a-w- c:\documents and settings\ielizaga\Application Data\SystemRequirementsLab\srlproxy_intel_4_1_47_0_c.dll2010-02-23 04:51 . 2010-02-23 04:51 88576 -c--a-w- c:\documents and settings\ielizaga\Application Data\SystemRequirementsLab\srlproxy_intel_4_1_47_0_b.dll2010-02-23 04:51 . 2010-02-23 04:51 88576 -c--a-w- c:\documents and settings\ielizaga\Application Data\SystemRequirementsLab\srlproxy_intel_4_1_47_0_a.dll2010-02-23 04:48 . 2010-02-23 04:48 -------- d-----w- d:\program files\Analog Devices2010-02-22 06:23 . 2010-03-07 06:23 -------- d--h--w- d:\program files\InstallShield Installation Information2010-02-22 00:17 . 2010-02-22 00:17 -------- dc----w- c:\documents and settings\ielizaga\Application Data\GameRanger2010-02-21 18:56 . 2010-02-21 18:56 -------- dc----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage2010-02-21 05:20 . 2010-02-21 05:20 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Registry Mechanic2010-02-21 05:16 . 2010-02-21 05:16 -------- dc----w- c:\program files\Common Files\PC Tools2010-02-21 02:37 . 2010-02-21 04:08 4 -c--a-w- c:\windows\vx86036.dat2010-02-21 02:37 . 2010-02-21 02:37 -------- dc----w- c:\documents and settings\All Users\CrypKey2010-02-21 02:36 . 2010-02-21 02:36 -------- dc----w- c:\documents and settings\ielizaga\Local Settings\Application Data\localntLang2010-02-20 22:09 . 2010-02-21 05:41 -------- dc----w- c:\documents and settings\ielizaga\Application Data\URSoft2010-02-20 22:09 . 2010-02-20 22:09 -------- d-----w- d:\program files\Your Uninstaller 20102010-02-20 21:47 . 2010-02-20 21:47 -------- d-----w- d:\program files\Lame for Audacity2010-02-20 21:46 . 2010-03-11 05:29 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Audacity2010-02-18 03:34 . 2004-03-25 03:44 151552 -c--a-w- c:\windows\system32\HexValidEmail.dll2010-02-18 03:34 . 2004-03-25 03:44 102400 -c--a-w- c:\windows\system32\HexDns.dll2010-02-18 03:34 . 2001-09-12 01:23 24576 -c--a-w- c:\windows\system32\snEUps.dll2010-02-18 03:34 . 2001-07-18 18:42 122880 -c--a-w- c:\windows\system32\snEU.exe2010-02-18 03:33 . 2010-02-18 03:33 -------- d-----w- d:\program files\Common Files2010-02-18 02:44 . 2006-01-26 17:26 147456 -c--a-w- c:\windows\system32\DARTUTIL.DLL2010-02-18 02:44 . 2006-01-26 17:24 221184 -c--a-w- c:\windows\system32\DartSock.dll2010-02-18 02:44 . 2006-01-26 17:24 196608 -c--a-w- c:\windows\system32\DartSecure2.dll2010-02-18 02:44 . 2006-01-26 17:24 155648 -c--a-w- c:\windows\system32\DartCertificate.dll2010-02-18 01:24 . 2010-02-18 01:24 -------- d-----w- d:\program files\Fear-Otaku Software2010-02-17 02:37 . 2010-02-17 02:37 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Office Genuine Advantage2010-02-14 19:40 . 2010-03-07 01:47 -------- d-----w- d:\program files\Counter-Strike 1.62010-02-14 18:45 . 2010-02-14 18:45 -------- dc----w- c:\program files\Common Files\Macrovision Shared2010-02-14 06:16 . 2010-02-15 06:37 -------- d-----w- d:\program files\Unlocker2010-02-14 05:41 . 2010-03-01 14:57 -------- d-----w- d:\program files\Recuva2010-02-13 20:56 . 2010-02-13 20:56 -------- dc----w- c:\program files\Common Files\SPBA2010-02-13 20:56 . 2010-02-13 20:58 -------- d-----w- d:\program files\ThinkVantage Fingerprint Software2010-02-11 04:51 . 2010-02-11 04:51 22382 -c--a-r- c:\documents and settings\ielizaga\Application Data\Microsoft\Installer\{7CC4EFDB-14AE-47F1-831E-D979FA6FB137}\_6FEFF9B68218417F98F549.exe2010-02-11 04:51 . 2010-02-11 04:51 22382 -c--a-r- c:\documents and settings\ielizaga\Application Data\Microsoft\Installer\{7CC4EFDB-14AE-47F1-831E-D979FA6FB137}\_21F3885A18D238E15AAE81.exe2010-02-11 04:51 . 2010-02-11 04:51 1406 -c--a-r- c:\documents and settings\ielizaga\Application Data\Microsoft\Installer\{7CC4EFDB-14AE-47F1-831E-D979FA6FB137}\_D707CE1C009F1381803C2C.exe2010-02-11 03:24 . 2009-08-29 03:42 40448 -c--a-w- c:\windows\system32\drivers\usbaapl.sys2010-02-11 03:24 . 2009-08-29 03:42 2065696 -c--a-w- c:\windows\system32\usbaaplrc.dll2010-02-11 03:12 . 2010-02-11 03:12 72488 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe2010-02-10 22:34 . 2010-02-10 22:34 52224 -c--a-w- c:\documents and settings\ielizaga\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll2010-02-10 22:34 . 2010-02-25 05:18 -------- d-----w- d:\program files\SUPERAntiSpyware2010-02-10 22:33 . 2010-02-12 05:54 -------- dc----w- c:\program files\Common Files\Wise Installation Wizard.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-03-12 02:08 . 2010-01-09 23:31 -------- d-----w- d:\program files\PeerBlock2010-03-12 01:25 . 2008-11-26 03:06 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP2010-03-11 23:59 . 2009-12-11 02:36 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware2010-03-11 23:34 . 2010-03-11 23:39 9230336 -c--a-w- c:\windows\Internet Logs\xDB12.tmp2010-03-11 06:28 . 2009-12-31 07:05 37536 -c--a-w- c:\windows\system32\RW_AppData.dat2010-03-11 06:28 . 2009-12-31 07:05 36880 -c--a-w- c:\windows\system32\RW_FileType.dat2010-03-11 06:28 . 2009-12-31 07:05 336 -c--a-w- c:\windows\system32\RW_{92EAF043-8CD7-11DC-ACCF-806D6172696F}.dat2010-03-11 06:28 . 2009-12-31 07:05 312 -c--a-w- c:\windows\system32\RW_FileFlag.dat2010-03-11 06:28 . 2009-12-31 07:05 2912 -c--a-w- c:\windows\system32\RW_{92EAF041-8CD7-11DC-ACCF-806D6172696F}.dat2010-03-11 06:26 . 2010-03-11 23:13 9213952 -c--a-w- c:\windows\Internet Logs\xDB11.tmp2010-03-11 06:23 . 2010-03-11 06:24 9238528 -c--a-w- c:\windows\Internet Logs\xDBF.tmp2010-03-11 06:12 . 2010-03-11 06:25 18944 -c--a-w- c:\windows\Internet Logs\xDB10.tmp2010-03-11 06:11 . 2009-08-30 20:10 -------- dc----w- c:\documents and settings\ielizaga\Application Data\DMCache2010-03-11 05:55 . 2010-03-11 05:59 9229312 -c--a-w- c:\windows\Internet Logs\xDBE.tmp2010-03-11 00:24 . 2010-03-11 00:26 9225728 -c--a-w- c:\windows\Internet Logs\xDBC.tmp2010-03-10 18:40 . 2010-03-11 00:26 16896 -c--a-w- c:\windows\Internet Logs\xDBD.tmp2010-03-10 06:26 . 2010-03-10 14:37 9283072 -c--a-w- c:\windows\Internet Logs\xDBB.tmp2010-03-10 05:09 . 2010-01-19 05:55 -------- dc----w- c:\documents and settings\ielizaga\Application Data\TeraCopy2010-03-10 04:47 . 2010-03-10 04:49 9284608 -c--a-w- c:\windows\Internet Logs\xDB9.tmp2010-03-10 04:46 . 2010-03-10 04:49 21504 -c--a-w- c:\windows\Internet Logs\xDBA.tmp2010-03-10 03:04 . 2009-09-28 01:39 -------- dc----w- c:\documents and settings\All Users\Application Data\Rosetta Stone2010-03-09 13:33 . 2010-03-09 15:16 9218048 -c--a-w- c:\windows\Internet Logs\xDB7.tmp2010-03-09 06:20 . 2010-01-12 03:14 -------- d-----w- d:\program files\Minilyrics2010-03-09 06:20 . 2010-03-09 15:17 18432 -c--a-w- c:\windows\Internet Logs\xDB8.tmp2010-03-08 04:42 . 2010-03-08 15:19 9193984 -c--a-w- c:\windows\Internet Logs\xDB6.tmp2010-03-08 01:16 . 2010-03-08 01:18 9192960 -c--a-w- c:\windows\Internet Logs\xDB5.tmp2010-03-07 21:21 . 2010-03-07 21:26 9219584 -c--a-w- c:\windows\Internet Logs\xDB4.tmp2010-03-07 06:14 . 2010-03-07 06:17 9198592 -c--a-w- c:\windows\Internet Logs\xDB2.tmp2010-03-07 05:24 . 2010-03-07 06:17 23040 -c--a-w- c:\windows\Internet Logs\xDB3.tmp2010-03-06 06:28 . 2010-03-06 19:22 9434112 -c--a-w- c:\windows\Internet Logs\xDB1.tmp2010-03-06 04:14 . 2010-03-06 04:14 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll2010-03-06 04:14 . 2010-03-06 04:14 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll2010-03-06 04:14 . 2010-03-06 04:14 329312 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll2010-03-06 04:14 . 2010-03-06 04:14 300616 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll2010-03-06 04:14 . 2010-03-06 04:14 118784 -c--a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll2010-03-06 04:14 . 2010-03-06 02:43 -------- dc----w- c:\program files\Common Files\Real2010-03-06 04:14 . 2010-03-06 02:43 -------- d-----w- d:\program files\Real2010-03-06 04:14 . 2010-03-06 04:14 -------- dc----w- c:\program files\Common Files\xing shared2010-03-06 04:13 . 2006-07-12 01:35 348160 -c--a-w- c:\windows\system32\msvcr71.dll2010-03-06 04:11 . 2010-03-06 04:11 373551 -c--a-w- c:\documents and settings\ielizaga\Application Data\mdply3d\mdply3d.exe2010-03-06 04:11 . 2010-03-06 04:11 -------- dc----w- c:\documents and settings\ielizaga\Application Data\mdply3d2010-03-06 04:11 . 2010-03-06 04:11 373551 -c--a-w- c:\documents and settings\ielizaga\mdply3d.exe2010-03-06 02:56 . 2010-03-06 02:56 439816 -c--a-w- c:\documents and settings\ielizaga\Application Data\Real\Update\setup3.10\setup.exe2010-03-05 06:25 . 2006-02-13 19:53 -------- dc----w- c:\program files\Common Files\Adobe2010-03-05 06:04 . 2010-01-19 05:55 -------- d-----w- d:\program files\TeraCopy2010-03-05 04:37 . 2009-11-08 18:42 -------- d-----w- d:\program files\TuneUp Utilities 20102010-03-04 06:27 . 2010-02-03 02:19 -------- dc----w- c:\documents and settings\ielizaga\Application Data\vlc2010-03-02 01:35 . 2009-01-29 01:43 -------- dc----w- c:\documents and settings\All Users\Application Data\Microsoft Help2010-03-01 14:55 . 2009-03-27 23:32 -------- d-----w- d:\program files\CCleaner2010-02-26 23:55 . 2008-04-14 12:00 361600 -c--a-w- c:\windows\system32\drivers\TCPIP.SYS2010-02-26 23:55 . 2009-01-04 02:30 361600 -c--a-w- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL2010-02-24 04:24 . 2006-01-30 20:34 107592 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-02-24 02:48 . 2007-11-27 02:06 107592 -c--a-w- c:\documents and settings\ielizaga\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2010-02-23 00:28 . 2009-11-01 01:03 -------- dc----w- c:\documents and settings\ielizaga\Application Data\IDM2010-02-22 06:30 . 2009-07-29 01:51 53319 -c--a-w- c:\documents and settings\All Users\Application Data\TEMP\{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}\PostBuild.exe2010-02-22 06:25 . 2009-07-29 01:56 53319 -c--a-w- c:\documents and settings\All Users\Application Data\TEMP\{8C20787A-7402-4FA7-BF25-6E5750930FDC}\PostBuild.exe2010-02-21 19:52 . 2009-07-11 22:49 -------- d-----w- d:\program files\Cheat Engine2010-02-20 23:41 . 2009-11-01 01:03 -------- d-----w- d:\program files\Internet Download Manager2010-02-20 21:46 . 2009-12-08 00:17 -------- d-----w- d:\program files\Audacity 1.3 Beta (Unicode)2010-02-20 02:29 . 2009-04-17 05:40 519 -c--a-w- c:\windows\PowerReg.dat2010-02-13 20:25 . 2009-10-09 02:32 36864 -c--a-w- c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe2010-02-13 06:51 . 2009-08-11 00:52 3864064 -c--a-w- c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe2010-02-13 06:18 . 2009-08-11 00:50 2328832 -c--a-w- c:\windows\system32\TUKernel.exe2010-02-11 03:28 . 2010-01-05 04:02 -------- d-----w- d:\program files\iTunes2010-02-11 03:27 . 2010-01-20 03:39 -------- dc----w- c:\program files\Common Files\Apple2010-02-10 22:40 . 2009-10-20 14:01 117760 -c--a-w- c:\documents and settings\ielizaga\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2010-02-10 01:10 . 2009-12-20 22:19 -------- d-----w- d:\program files\K-Lite Codec Pack2010-02-07 18:41 . 2009-12-31 07:05 1176 -c--a-w- c:\windows\system32\RW_{7F6357F4-DF90-11DE-92E3-0013CE55A177}.dat2010-02-07 04:23 . 2009-12-12 03:13 -------- d-----w- d:\program files\Rosetta Stone2010-02-03 04:35 . 2010-01-15 06:14 -------- d-----w- d:\program files\Winamp2010-02-03 02:19 . 2009-04-04 00:06 4876 -c--a-w- c:\windows\system32\d3d9caps.dat2010-02-03 00:22 . 2009-11-01 01:04 198064 -c--a-w- c:\documents and settings\ielizaga\Application Data\IDM\idmmzcc3\components\idmmzcc.dll2010-02-02 18:00 . 2009-12-20 22:19 85504 -c--a-w- c:\windows\system32\ff_vfw.dll2010-01-31 08:46 . 2010-01-31 08:46 -------- dc----w- c:\program files\Common Files\Config2010-01-30 03:17 . 2009-12-23 01:17 -------- d-----w- d:\program files\Mozilla Firefox 3.6 Beta 52010-01-25 04:58 . 2010-01-25 04:54 -------- dc----w- c:\documents and settings\All Users\Application Data\DFX2010-01-25 04:54 . 2010-01-25 04:54 -------- d-----w- d:\program files\DFX2010-01-25 04:54 . 2010-01-25 04:54 -------- dc----w- c:\program files\Common Files\DFX2010-01-21 00:22 . 2010-01-21 00:13 36864 -c--a-w- c:\documents and settings\All Users\Application Data\TEMP\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}\PostBuild.exe2010-01-20 03:46 . 2008-07-13 16:57 -------- dc----w- c:\documents and settings\All Users\Application Data\Apple Computer2010-01-20 01:59 . 2010-01-20 01:59 -------- dc----w- c:\documents and settings\LocalService\Application Data\CyberLink2010-01-18 04:45 . 2010-01-18 04:45 -------- dc----w- c:\program files\Common Files\Diskeeper Corporation2010-01-18 04:45 . 2010-01-18 04:45 -------- dc----w- c:\documents and settings\All Users\Application Data\Diskeeper Corporation2010-01-18 01:14 . 2003-02-04 17:50 23444 -c--a-w- c:\windows\system32\emptyregdb.dat2010-01-17 05:41 . 2008-10-27 02:55 411368 -c--a-w- c:\windows\system32\deploytk.dll2010-01-17 05:41 . 2010-01-17 05:41 -------- d-----w- d:\program files\Java2010-01-17 04:55 . 2009-04-14 17:38 -------- d-----w- d:\program files\Yahoo!2010-01-16 05:30 . 2010-01-15 06:14 -------- dc----w- c:\documents and settings\ielizaga\Application Data\Winamp2009-12-31 16:50 . 2008-04-14 12:00 353792 -c--a-w- c:\windows\system32\drivers\srv.sys2009-12-21 19:14 . 2008-04-14 12:00 916480 -c----w- c:\windows\system32\wininet.dll2009-12-17 23:14 . 2009-11-08 18:43 30536 -c--a-w- c:\windows\system32\TURegOpt.exe2009-12-16 18:43 . 2003-02-04 17:49 343040 -c--a-w- c:\windows\system32\mspaint.exe2009-12-14 20:33 . 2010-01-01 08:41 53248 -c--a-w- c:\windows\system32\CSVer.dll2009-12-14 07:08 . 2008-04-14 12:00 33280 -c--a-w- c:\windows\system32\csrsrv.dll2009-12-12 14:15 . 2009-09-19 03:29 178176 -c--a-w- c:\windows\system32\unrar.dll.------- Sigcheck -------[-] 2010-02-26 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS[-] 2010-02-26 . D24EA301E2B36C4E975FD216CA85D8E7 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\ERDNT\cache\TCPIP.SYS.((((((((((((((((((((((((((((( SnapShot@2010-03-09_04.44.51 ))))))))))))))))))))))))))))))))))))))))).+ 2010-03-11 23:39 . 2010-03-11 23:39 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]"{0C8413C1-FAD1-446C-8584-BE50576F863E}"= "d:\program files\Search Toolbar\tbcore3.dll" [2010-01-27 2771120][HKEY_CLASSES_ROOT\clsid\{0c8413c1-fad1-446c-8584-be50576f863e}][HKEY_CLASSES_ROOT\TBSB05974.TBSB05974.3][HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}][HKEY_CLASSES_ROOT\TBSB05974.TBSB05974][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"PeerBlock"="d:\program files\PeerBlock\peerblock.exe" [2010-03-09 1738352]"SUPERAntiSpyware"="d:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-10 2002160]"mdply3d"="c:\documents and settings\ielizaga\Application Data\mdply3d\mdply3d.exe" [2010-03-06 373551]"byvtrpdrv"="urppnl.dll" [2010-03-11 97280][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SoundMAXPnP"="d:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 1388544]"TrackPointSrv"="c:\program files\Lenovo\TrackPoint\tp4serv.exe" [2009-06-26 92960]"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-06 202256]"wvvttqsys"="tusrpp.dll" [2010-03-11 89600]"xxxvuudrv"="urppnl.dll" [2010-03-11 97280][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"tuvsttsys"="tusrpp.dll" [2010-03-11 89600][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-18 2247]"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoResolveTrack"= 1 (0x1)"NoStartMenuEjectPC"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-03 22:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]2004-11-01 19:50 8704 ----a-w- c:\windows\system32\PCANotify.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]2009-12-01 21:41 100104 ----a-w- d:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Authentication Packages REG_MULTI_SZ msv1_0 tusrpp.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKLM\~\startupfolder\C:^Documents and Settings^ielizaga^Start Menu^Programs^Startup^GameRanger.lnk]backup=c:\windows\pss\GameRanger.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"WMPNetworkSvc"=3 (0x3)"WMDM PMSP Service"=2 (0x2)"wlidsvc"=2 (0x2)"Viewpoint Manager Service"=2 (0x2)"TmProxy"=2 (0x2)"TmPfw"=2 (0x2)"TMBMServer"=2 (0x2)"SfCtlCom"=2 (0x2)"QOSMyDesktop"=2 (0x2)"ocautoupds"=2 (0x2)"MyDesktopWindows"=2 (0x2)"JavaQuickStarterService"=2 (0x2)"iPod Service"=3 (0x3)"gupdate1c9f8319d11f630"=2 (0x2)"FLEXnet Licensing Service"=3 (0x3)"Bonjour Service"=2 (0x2)"awhost32"=3 (0x3)"Apple Mobile Device"=2 (0x2)"ImapiService"=3 (0x3)"ose"=3 (0x3)"odserv"=3 (0x3)"Pml Driver HPZ12"=3 (0x3)"RichVideo"=3 (0x3)"TuneUp.Defrag"=3 (0x3)"idsvc"=3 (0x3)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]"ctfmon.exe"=c:\windows\system32\ctfmon.exe"IDMan"=d:\program files\Internet Download Manager\IDMan.exe /onboot[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]"SoundMAX"=c:\program files\Analog Devices\SoundMAX\Smax4.exe /tray"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe""igfxhkcmd"=c:\windows\system32\hkcmd.exe"igfxpers"=c:\windows\system32\igfxpers.exe"HotKeysCmds"=c:\windows\system32\hkcmd.exe"Persistence"=c:\windows\system32\igfxpers.exe"IgfxTray"=c:\windows\system32\igfxtray.exe"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe""SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe""QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe""MSConfig"=c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto"UnlockerAssistant"="d:\program files\Unlocker\UnlockerAssistant.exe"[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\WINDOWS\\system32\\ftp.exe"="c:\\Program Files\\Java\\jre6\\bin\\java.exe"="d:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"="d:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"="d:\\Program Files\\iTunes\\iTunes.exe"="d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009"56384:TCP"= 56384:TCP:Pando Media Booster"56384:UDP"= 56384:UDP:Pando Media Booster"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016"500:UDP"= 500:UDP:@xpsp2res.dll,-22017R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [9/15/2009 4:49 PM 3026]R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 7:56 AM 9968]R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 74480]R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2/20/2010 9:16 PM 583640]R2 smihlp;SMI Helper Driver (smihlp);d:\program files\ThinkVantage Fingerprint Software\smihlp.sys [3/13/2009 1:47 PM 12560]R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [4/6/2009 2:08 PM 36368]R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;d:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [12/17/2009 3:12 PM 1044808]R3 DKRtWrt;DKRtWrt;c:\windows\system32\drivers\DKRtWrt.sys [1/17/2010 8:46 PM 41120]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/8/2010 9:17 PM 19160]R3 pbfilter;pbfilter;d:\program files\PeerBlock\pbfilter.sys [1/9/2010 3:31 PM 18544]R3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 7408]R3 Tp4Track;PS/2 TrackPoint Driver;c:\windows\system32\drivers\tp4track.sys [3/4/2008 6:28 AM 23080]R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;d:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [10/14/2009 7:24 AM 10064]S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/31/2008 8:41 AM 721904]S2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/8/2010 9:17 PM 236368]S2 PMEMNT;PMEMNT;\??\c:\windows\pmemnt.sys --> c:\windows\pmemnt.sys [?]S2 tmevtmgr;tmevtmgr;\??\c:\windows\system32\drivers\tmevtmgr.sys --> c:\windows\system32\drivers\tmevtmgr.sys [?]S3 cpuz;cpuz;\??\c:\docume~1\ielizaga\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\ielizaga\LOCALS~1\Temp\cpuz.sys [?]S3 cpuz130;cpuz130;\??\c:\docume~1\ielizaga\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ielizaga\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [8/29/2009 3:42 PM 28672]S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [4/6/2009 2:08 PM 335376]S4 gupdate1c9f8319d11f630;Google Update Service (gupdate1c9f8319d11f630);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]S4 MyDesktopWindows;MyDesktopService;c:\windows\orclobi\MyDesktop\MyDesktopService.exe --> c:\windows\orclobi\MyDesktop\MyDesktopService.exe [?]S4 ocautoupds;Oracle Connector Automatic Updates Service; [x]S4 QOSMyDesktop;QOS MyDesktop;c:\windows\orclobi\MyDesktop\MyDesktopQOS.exe --> c:\windows\orclobi\MyDesktop\MyDesktopQOS.exe [?]S4 TmPfw;Trend Micro Personal Firewall; [x]S4 TmProxy;Trend Micro Proxy Service; [x]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsUxTuneUp.Contents of the 'Scheduled Tasks' folder2010-03-11 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]2010-03-11 c:\windows\Tasks\OGALogon.job- c:\windows\system32\OGAEXEC.exe [2009-08-03 23:07]2010-03-11 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-582103443-1065543706-2027339946-1005.job- d:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-10 02:38]2010-03-11 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-582103443-1065543706-2027339946-1005.job- d:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-10 02:38]2010-03-12 c:\windows\Tasks\User_Feed_Synchronization-{C0117973-63D5-4ECA-831D-AFA1F8E3EECE}.job- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]..------- Supplementary Scan -------.uStart Page = Yahoo.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmluInternet Connection Wizard,ShellNext = wmplayer.exeuSearchAssistant = hxxp://www.google.com/ieIE: Download all links with IDM - d:\program files\Internet Download Manager\IEGetAll.htmIE: Download FLV video content with IDM - d:\program files\Internet Download Manager\IEGetVL.htmIE: Download with IDM - d:\program files\Internet Download Manager\IEExt.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000Trusted Zone: intuit.com\ttlcTrusted Zone: microsoft.com\*.updateTrusted Zone: microsoft.com\*.windowsupdateTrusted Zone: microsoft.com\officeTrusted Zone: microsoft.com\updateTrusted Zone: microsoft.com\windowsupdateTrusted Zone: oraclecorp.com\global-serviceTrusted Zone: windowsupdate.comTrusted Zone: windowsupdate.com\downloadTCP: {2669867D-E237-4792-8BC4-BE18FACE753C} = 208.67.222.222,208.67.220.220TCP: {FD99B04C-CFE4-4D74-8C55-21BA7183A524} = 208.67.222.222,208.67.220.220DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - hxxps://conference.oracle.com/imtapp/res/jar/cnsload.cabFF - ProfilePath - c:\documents and settings\ielizaga\Application Data\Mozilla\Firefox\Profiles\7qzd5zsp.default\FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=FF - component: c:\documents and settings\ielizaga\Application Data\IDM\idmmzcc3\components\idmmzcc.dllFF - component: d:\program files\Mozilla Firefox 3.6 Beta 5\extensions\{a02c1aac-2bb9-217c-3817-04dd9b278f6e}\components\8K--Hg-D9AX-A.dllFF - plugin: c:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dllFF - plugin: c:\program files\Microsoft Silverlight\3.0.50106.0\npctrl.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dllFF - plugin: c:\program files\Windows Media Player\npdrmv2.dllFF - plugin: c:\program files\Windows Media Player\npdsplay.dllFF - plugin: c:\program files\Windows Media Player\npwmsdrm.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\---- FIREFOX POLICIES ----FF - user.js: network.http.max-persistent-connections-per-server - 4FF - user.js: nglayout.initialpaint.delay - 600FF - user.js: content.notify.interval - 600000FF - user.js: content.max.tokenizing.time - 1800000FF - user.js: content.switch.threshold - 600000FF - user.js: network.http.max-connections-per-server - 8FF - user.js: network.http.pipelining - trueFF - user.js: network.http.proxy.pipelining - trueFF - user.js: network.http.pipelining.ssl - trueFF - user.js: network.http.pipelining.maxrequests - 8FF - user.js: yahoo.homepage.dontask - trued:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.use_native_colors", true);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.use_native_popup_windows", false);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.enable_click_image_resizing", true);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("svg.smil.enabled", false);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.debug", false);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.agedWeight", 2);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.bucketSize", 1);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);d:\program files\Mozilla Firefox 3.6 Beta 5\greprefs\all.js - pref("html5.enable", false);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);d:\program files\Mozilla Firefox 3.6 Beta 5\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);..------- File Associations -------.vbefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*vbsfile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-03-11 18:08Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\BagMRU\0]@DACL=(02 0000)@SACL="0"=hex:14,00,47,00,02,45,6e,74,69,72,65,20,4e,65,74,77,6f,72,6b,00,00,00"MRUListEx"=hex:00,00,00,00,ff,ff,ff,ff[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\1]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\10]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\11]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\12]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\13]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\14]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\15]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\16]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\17]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\18]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\19]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\2]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\20]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\21]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\22]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\3]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\4]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\5]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\6]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\7]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\8]@DACL=(02 0000)@SACL=[HKEY_USERS\S-1-5-21-582103443-1065543706-2027339946-1005\Software\Microsoft\Windows\Shell\Bags\9]@DACL=(02 0000)@SACL=[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]@Denied: (Full) (Everyone)"scansk"=hex(0):b5,c7,7b,8b,45,84,ce,9a,1c,3c,88,40,5e,dd,3b,f3,5f,16,11,21,41, 6e,ef,08,e8,1a,0f,dd,d6,b1,de,e9,b2,40,c1,3b,79,2f,de,a7,00,00,00,00,00,00,\[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d88d0fba-5427-41f3-903a-f3eca38e8f72}]@Denied: (Full) (Everyone)"Model"=dword:0000003f"Therad"=dword:00000016"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a, 1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(932)c:\windows\system32\vrlogon.dlld:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\WININET.dllc:\documents and settings\ielizaga\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLLc:\documents and settings\ielizaga\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dlld:\program files\ThinkVantage Fingerprint Software\psqlpwd.dlld:\program files\ThinkVantage Fingerprint Software\homefus2.dlld:\program files\ThinkVantage Fingerprint Software\infql2.dlld:\program files\ThinkVantage Fingerprint Software\homepass.dlld:\program files\ThinkVantage Fingerprint Software\bio.dlld:\program files\ThinkVantage Fingerprint Software\qlbase.dlld:\program files\ThinkVantage Fingerprint Software\ps2css.dllc:\windows\system32\urppnl.dll- - - - - - - > 'lsass.exe'(1004)c:\windows\system32\tusrpp.dllc:\windows\system32\wininet.dll- - - - - - - > 'explorer.exe'(1076)c:\windows\system32\WININET.dllc:\windows\system32\ieframe.dllc:\windows\system32\urppnl.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll- - - - - - - > 'csrss.exe'(908)c:\windows\system32\wininet.dll.Completion time: 2010-03-11 18:12:34ComboFix-quarantined-files.txt 2010-03-12 02:12ComboFix2.txt 2010-03-10 06:12ComboFix3.txt 2010-03-09 04:48Pre-Run: 14,311,010,304 bytes freePost-Run: 14,278,283,264 bytes freeCurrent=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11- - End Of File - - 700BDAFCFBAA44704207295E99B242EF Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:213984 Share Posted March 13, 2010 hello????Still need help Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:213986 Share Posted March 13, 2010 Hi uncleferassiI never received a Topic Subscription Notification.. I'm reviewing your log and will have some more instructions for you in a short while. Thanks for your patience! Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:213995 Share Posted March 13, 2010 Open Hijackthis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:O1 - Hosts: 74.208.105.171 gs.apple.comO1 - Hosts: 74.208.10.249 gs.apple.comO2 - BHO: TBSB05974 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - D:\Program Files\Search Toolbar\tbcore3.dllO3 - Toolbar: Search Toolbar - {0C8413C1-FAD1-446C-8584-BE50576F863E} - D:\Program Files\Search Toolbar\tbcore3.dllAgain, make sure ALL browser windows are closed when you click FIX.Run CFScriptClose any open browsers.Open Notepad by click startClick RunType notepad into the box and click enterNotepad will openCopy and Paste everything from the Code box into Notepad:KILLALL::File::c:\windows\system32\urppnl.dllc:\windows\system32\rqpoli.dllc:\windows\system32\tusrpp.dllc:\windows\system32\fcbcbc.dllc:\windows\system32\tutqpn.dllc:\documents and settings\ielizaga\Local Settings\Application Data\catp2pgfxc:\documents and settings\ielizaga\pod60.exec:\windows\system32\ssrspp.dllc:\windows\system32\rqonnm.c:\windows\system32\urroll.dllc:\windows\system32\wvwvus.dllc:\windows\system32\vttqqn.dllc:\windows\system32\fcywuu.dllDriver::cpuzSave the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with MBAM Log.Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.NextPlease try this version of malwarebytes: Click the link hereSave it on your desktop. You'll see it will have a random name, and will look similar like this: Doubleclick on it, so it will extract the files and will start Malwarebytes automatically. In case the installer (random named file) won't run either, rename it to firefox.exe or explorer.exe or iexplore.exe and try again.When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.Then perform a scan and let it remove what it found. Reboot afterwards (important).After reboot, post the malwarebytes log together with a new HijackThislog.In case you're having problems with above instructions, let me know.In your next reply, please include these log(s):CFScript.txt malwarebytes log new HijackThislogAlso, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted. Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214082 Share Posted March 13, 2010 Thank You!!!!I'm pretty sure the vundo is gone because i can use malwarebytes without changing the mbam.exe name. Here is just my logs if you want to check if i'm vundo-free Here is my Hijackme logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:32:31 PM, on 3/13/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeD:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeC:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeD:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\system32\svchost.exeD:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exeC:\WINDOWS\system32\ZONELABS\vsmon.exeD:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exeC:\WINDOWS\system32\wscntfy.exeD:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeD:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeD:\Program Files\PeerBlock\peerblock.exeD:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\WINDOWS\explorer.exeD:\Program Files\Mozilla Firefox 3.6 Beta 5\firefox.exeD:\Program Files\Malwarebytes' Anti-Malware\mbam.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeD:\Program Files\Internet Download Manager\IDMan.exeD:\Program Files\Internet Download Manager\IEMonitor.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dllO4 - HKLM\..\Run: [soundMAXPnP] D:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exeO4 - HKLM\..\Run: [TrackPointSrv] C:\Program Files\Lenovo\TrackPoint\tp4serv.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKCU\..\Run: [PeerBlock] D:\Program Files\PeerBlock\peerblock.exeO4 - HKCU\..\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')O4 - Startup: StartupFasterO4 - Global Startup: StartupFasterO8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htmO8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htmO8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO15 - Trusted Zone: http://download.windowsupdate.comO15 - Trusted Zone: http://*.windowsupdate.comO16 - DPF: {00191E43-49C2-48E2-A548-8F702D75622A} - https://conference.oracle.com/imtapp/res/jar/cnsload.cabO16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1263780057268O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1260315087266O17 - HKLM\System\CCS\Services\Tcpip\..\{2669867D-E237-4792-8BC4-BE18FACE753C}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CCS\Services\Tcpip\..\{FD99B04C-CFE4-4D74-8C55-21BA7183A524}: NameServer = 208.67.222.222,208.67.220.220O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.comO17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = us.oracle.comO17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = us.oracle.comO20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Diskeeper - Diskeeper Corporation - D:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exeO23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - D:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe--End of file - 7504 bytesMy Combofix log is attached to this reply.My malwarebytes log is attached to this replyTHANK YOU AGAIN!!!!!ComboFix.txtmbam_log_2010_03_13__12_46_17_.txt Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214083 Share Posted March 13, 2010 The Sad Face was suppose to be a happy face. Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:214085 Share Posted March 13, 2010 Please run this online scan to help look for remnants. Almost Done.... ESET Online ScannerNote: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.Please go here then click on: Select the option YES, I accept the Terms of Use then click on: When prompted allow the Add-On/Active X to install.Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.Now click on Advanced Settings and select the following:Scan for potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth Technology[*]Now click on: [*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.[*]When completed the Online Scan will begin automatically. [*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall. [*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first![*]Now click on: [*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.[*]Copy and paste that log as a reply to this topic.Note: Do not forget to re-enable your Anti-Virus application after running the above scan!NextDownload Security Check from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.In your next reply, please include these log(s):EsetOnlineScanner\log.txtcheckup.txt Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:214086 Share Posted March 13, 2010 Also, why did you not installed anti-virus software? Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214093 Share Posted March 13, 2010 i did...I installed avast Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:214095 Share Posted March 13, 2010 LOL.... I see it now. Go ahead and run ESET Online Scanner and Security Check . I bet ESET will find something in My Documents. Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214118 Share Posted March 13, 2010 wtf??!The scan told me that i still have 5 viruses but one of them were one of the stuff you told me to download..... LOL Log is attached.log.txt Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214119 Share Posted March 13, 2010 oops sorry..Not you... LOLIt was this site that told mehttp://www.bleepingcomputer.com/virus-remo...undo-virtumondeSorry once again Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214120 Share Posted March 13, 2010 Here is my log: Results of screen317's Security Check version 0.99.1 Windows XP Service Pack 3 `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Enabled! ESET Online Scanner v3 WMIC entry does not exist for antivirus; attempting automatic update. `````````````````````````````` Anti-malware/Other Utilities Check: SUPERAntiSpyware Professional HijackThis 2.0.2 TuneUp Utilities TuneUp Utilities TuneUp Utilities Language Pack (en-US) CCleaner Java 6 Update 17 Adobe Flash Player 10 Adobe Reader 9.3 `````````````````````````````` Process Check: objlist.exe by Laurent Malwarebytes' Anti-Malware mbamservice.exe Malwarebytes' Anti-Malware mbamgui.exe ``````````````````````````````DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log``````````` Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:214122 Share Posted March 13, 2010 Please download the OTM by OldTimer. Save it to your desktop. Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)::processesexplorer.exe:filesC:\Documents and Settings\ielizaga\mdply3d.exeC:\WINDOWS\VIPv3\Process.exeC:\WINDOWS\VIPv3\resources\process.exeD:\Documents and Settings\ielizaga\My Documents\Downloads\Programs\VirtumundoBeGone.exe:commands[start explorer][emptytemp] Return to OTMoveIt3, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.Click the red Moveit! button.Click Ok to allow OTM reboot your machine.After reboot, a log file will appear. Copy the contents to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.Close OTM Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214127 Share Posted March 13, 2010 i can't..it says that it can't be found.Plus... according to my world of trust addon for firefox, it says the site has poor reputation.Need Help?? Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214128 Share Posted March 13, 2010 i mean by like i can't download the otm.exe thing because it says it can't be found. Link to post Share on other sites More sharing options...
Kenny94 Posted March 13, 2010 ID:214130 Share Posted March 13, 2010 I fixed it.... Link to post Share on other sites More sharing options...
uncleferassi Posted March 13, 2010 Author ID:214141 Share Posted March 13, 2010 Ok...i did all of that.Am i done with the whole removing the vundo problem?If so, thank you very much for helping me solve this problem.-Uncleferassi Link to post Share on other sites More sharing options...
Kenny94 Posted March 14, 2010 ID:214146 Share Posted March 14, 2010 Link to post Share on other sites More sharing options...
uncleferassi Posted March 14, 2010 Author ID:214147 Share Posted March 14, 2010 LOLZok..Here's the log:All processes killed========== PROCESSES ==========No active process named explorer.exe was found!========== FILES ==========C:\Documents and Settings\ielizaga\mdply3d.exe moved successfully.C:\WINDOWS\VIPv3\Process.exe moved successfully.C:\WINDOWS\VIPv3\resources\process.exe moved successfully.File/Folder D:\Documents and Settings\ielizaga\My Documents\Downloads\Programs\VirtumundoBeGone.exe not found.========== COMMANDS ==========[EMPTYTEMP]User: Administrator->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 67 bytes->Java cache emptied: 0 bytes->FireFox cache emptied: 0 bytesUser: All UsersUser: Default User->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 67 bytes->Java cache emptied: 0 bytes->FireFox cache emptied: 0 bytesUser: ielizaga->Temp folder emptied: 1439031 bytes->Temporary Internet Files folder emptied: 5292277 bytes->Java cache emptied: 0 bytes->FireFox cache emptied: 79458820 bytes->Flash cache emptied: 3742 bytesUser: LocalService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 67 bytesUser: NetworkService->Temp folder emptied: 0 bytes->Temporary Internet Files folder emptied: 33170 bytes->Flash cache emptied: 405 bytes%systemdrive% .tmp files removed: 0 bytes%systemroot% .tmp files removed: 696832 bytes%systemroot%\System32 .tmp files removed: 0 bytes%systemroot%\System32\dllcache .tmp files removed: 0 bytes%systemroot%\System32\drivers .tmp files removed: 0 bytesWindows Temp folder emptied: 17379 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytesRecycleBin emptied: 0 bytesTotal Files Cleaned = 83.00 mbOTM by OldTimer - Version 3.1.10.0 log created on 03132010_154752Files moved on Reboot...C:\WINDOWS\temp\ZLT07ec7.TMP moved successfully.Registry entries deleted on Reboot... Link to post Share on other sites More sharing options...
Recommended Posts