Jump to content

Can't Open or Install Malwarebytes


pjj

Recommended Posts

Hello - I previously had Malwarebytes installed, but noticed I was getting redirected on Google this morning. I tried to run Malwarebytes in safe mode, but it won't open. I unistalled Malwarebytes and tried to download and install the latest version while in safe mode. The task mangaer shows that it installs to about 8000 bytes and then it disappears as if it were turned off. I ran HijackThis and came up with the following log file. PLEASE HELP ME!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:25:08, on 9/21/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe

C:\Documents and Settings\PCrowther\Application Data\Microsoft\svchost.exe

C:\DOCUME~1\PCROWT~1\LOCALS~1\Temp\dwm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook

Express\msimn.exe"

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

http=127.0.0.1:50370

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

F3 - REG:win.ini: load=C:\DOCUME~1\PCROWT~1\LOCALS~1\Temp\dwm.exe

O2 - BHO: LexisNexis Practice Management Toolbar - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} -

C:\TMW8\tmietb.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar1.dll (file missing)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program

Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: LexisNexis Practice Management Toolbar - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} -

C:\TMW8\tmietb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll (file missing)

O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program

Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"

O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA

Anti-Virus\CAVRID.exe"

O4 - HKLM\..\Run: [Nikon Transfer Monitor] C:\Program Files\Common

Files\Nikon\Monitor\NkMonitor.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [fcbcbxsys] rundll32.exe "gebyab.dll",s

O4 - HKLM\..\Run: [tusrqpaudio] rundll32.exe "urpnmn.dll",s

O4 - HKLM\..\Run: [svchost] C:\Documents and Settings\PCrowther\Application

Data\Microsoft\svchost.exe

O4 - HKLM\..\Run: [iifffdaudio] rundll32.exe "ljgfdb.dll",s

O4 - HKLM\..\Run: [cbbcyaaudio] rundll32.exe "awusqq.dll",s

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes'

Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [TSTimer] "C:\Program Files\Timeslips\TSTimer.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"

-scheduler

O4 - HKCU\..\Run: [vtuvwusys] rundll32.exe "gebyab.dll",s

O4 - HKCU\..\Run: [fcyvtuaudio] rundll32.exe "urpnmn.dll",s

O4 - HKCU\..\Run: [opomjjaudio] rundll32.exe "ljgfdb.dll",s

O4 - HKCU\..\Run: [rqrrrpaudio] rundll32.exe "awusqq.dll",s

O4 - HKUS\S-1-5-18\..\Run: [khigfcaudio] rundll32.exe "urpnmn.dll",s (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [wvtuussys] rundll32.exe "gebyab.dll",s (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [cbyvuuaudio] rundll32.exe "ljgfdb.dll",s (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [khigfcaudio] rundll32.exe "urpnmn.dll",s (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma

Loader.exe

O4 - Startup: userinit.exe

O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common

Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.hp.com (HKLM)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) -

http://disney.go.com/pirates/online/testAc...OnlineGames.cab

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) -

http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) -

http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} (HPSDDX Class) -

http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab

O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) -

http://www.ritzpix.com/net/Uploader/LPUploader57.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) -

http://livenj02.custhelp.com/7520-b289h/rnl/java/RntX.cab

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) -

http://www.disneyphotopass.com/software/ImageUploader4.cab

O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) -

http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.11.cab?

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) -

https://secure.logmein.com/activex/ractrl.cab?lmi=100

O18 - Protocol: HPDCS - {BA135F49-A12C-4E26-A2C4-6EA945999072} - C:\Program Files\Common

Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll

O18 - Protocol: hppfile - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program

Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll

O18 - Protocol: hppsam - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program

Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll

O18 - Protocol: hppzip - {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program

Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common

Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security

Suite\ccprovsp.exe

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA

Internet Security Suite\CA Anti-Virus\ISafe.exe

O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip

Video\FlipShare\FlipShareService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe

O23 - Service: HP Status - Hewlett-Packard Company - C:\WINDOWS\system32\hpb2ksrv.exe

O23 - Service: HP Status Print - Hewlett-Packard Company - C:\WINDOWS\system32\hpbhksrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program

Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - Intuit - C:\Program

Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common

Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe

O23 - Service: QuickBooksDB17 - iAnywhere Solutions, Inc. -

C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common

Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet

Security Suite\CA Anti-Virus\VetMsg.exe

--

End of file - 11344 bytes

Link to post
Share on other sites

Hello pjj

Welcome to Malwarebytes.

=====================

  • Download OTL to your desktop.
  • Double click on OTL to run it.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Under Custom scan's and fixes section paste in the below in bold


    netsvcs

    %SYSTEMDRIVE%\*.*

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    %systemroot%\System32\config\*.sav

    %systemroot%\system32\drivers\*.sys /90

    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll


  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

  • Double-click RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it, typically your desktop. Click Close
  • Copy the entire contents of the report and paste it in your next reply.

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

Link to post
Share on other sites

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370
    O4 - HKLM..\Run: [cbbcyaaudio] C:\WINDOWS\System32\awusqq.dll (foobar2000.org)
    O4 - HKLM..\Run: [fcbcbxsys] C:\WINDOWS\System32\gebyab.dll (Symantec Corporation)
    O4 - HKLM..\Run: [iifffdaudio] C:\WINDOWS\System32\ljgfdb.dll (foobar2000.org)
    O4 - HKLM..\Run: [rqoppoaudio] C:\WINDOWS\System32\urstsp.dll (foobar2000.org)
    O4 - HKLM..\Run: [svchost] C:\Documents and Settings\PCrowther\Application Data\Microsoft\svchost.exe ()
    O4 - HKLM..\Run: [tusrqpaudio] C:\WINDOWS\System32\urpnmn.dll (foobar2000.org)
    O4 - HKCU..\Run: [fcyvtuaudio] C:\WINDOWS\System32\urpnmn.dll (foobar2000.org)
    O4 - HKCU..\Run: [opomjjaudio] C:\WINDOWS\System32\ljgfdb.dll (foobar2000.org)
    O4 - HKCU..\Run: [rqrrrpaudio] C:\WINDOWS\System32\awusqq.dll (foobar2000.org)
    O4 - HKCU..\Run: [vtuvwusys] C:\WINDOWS\System32\gebyab.dll (Symantec Corporation)
    O4 - HKCU..\Run: [yabbabaudio] C:\WINDOWS\System32\urstsp.dll (foobar2000.org)
    F3 - HKCU WinNT: Load - (C:\DOCUME~1\PCROWT~1\LOCALS~1\Temp\dwm.exe) - C:\Documents and Settings\PCrowther\Local Settings\Temp\dwm.exe ()
    O20 - HKCU Winlogon: Shell - (C:\Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe) - C:\Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe ()
    [2010/09/21 10:50:02 | 000,000,714 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\amlistx.dat
    [2010/09/21 10:50:02 | 000,000,054 | ---- | M] () -- C:\Documents and Settings\PCrowther\Application Data\amopn.dat

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

===========

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

OTL Log:

All processes killed

========== OTL ==========

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\cbbcyaaudio deleted successfully.

C:\WINDOWS\system32\awusqq.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\fcbcbxsys deleted successfully.

C:\WINDOWS\system32\gebyab.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\iifffdaudio deleted successfully.

C:\WINDOWS\system32\ljgfdb.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\rqoppoaudio deleted successfully.

C:\WINDOWS\system32\urstsp.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\svchost not found.

File C:\Documents and Settings\PCrowther\Application Data\Microsoft\svchost.exe not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\tusrqpaudio deleted successfully.

C:\WINDOWS\system32\urpnmn.dll moved successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\fcyvtuaudio deleted successfully.

File C:\WINDOWS\System32\urpnmn.dll not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\opomjjaudio deleted successfully.

File C:\WINDOWS\System32\ljgfdb.dll not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\rqrrrpaudio deleted successfully.

File C:\WINDOWS\System32\awusqq.dll not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\vtuvwusys deleted successfully.

File C:\WINDOWS\System32\gebyab.dll not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\yabbabaudio deleted successfully.

File C:\WINDOWS\System32\urstsp.dll not found.

C:\Documents and Settings\PCrowther\Local Settings\Temp\dwm.exe moved successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\Load:C:\DOCUME~1\PCROWT~1\LOCALS~1\Temp\dwm.exe deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:C:\Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe deleted successfully.

C:\Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe moved successfully.

C:\Documents and Settings\All Users\Application Data\amlistx.dat moved successfully.

C:\Documents and Settings\PCrowther\Application Data\amopn.dat moved successfully.

========== COMMANDS ==========

[EMPTYTEMP]

Link to post
Share on other sites

ComboFix Log:

ComboFix 10-09-21.03 - PCrowther 09/22/2010 10:56:16.1.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.786 [GMT -4:00]

Running from: C:\Documents and Settings\PCrowther\Desktop\ComboFix.exe

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Documents and Settings\PCrowther\GoToAssistDownloadHelper.exe

C:\Thumbs.db

C:\WINDOWS\system32\gebyab.dll

C:\WINDOWS\system32\mliife.dll

C:\WINDOWS\system32\tmp.reg

C:\WINDOWS\system32\vttsss.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))

.

2010-09-22 14:28:10 . 2010-09-22 14:28:10 -------- d-----w- C:\_OTL

2010-09-21 17:34:50 . 2010-09-21 17:34:50 -------- d-----w- C:\Documents and Settings\PCrowther\Application Data\SUPERAntiSpyware.com

2010-09-21 17:34:50 . 2010-09-21 17:34:50 -------- d-----w- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2010-09-21 17:34:43 . 2010-09-21 17:34:58 -------- d-----w- C:\Program Files\SUPERAntiSpyware

2010-09-21 15:10:43 . 2010-04-29 19:39:38 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys

2010-09-21 15:10:42 . 2010-04-29 19:39:26 20952 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-22 13:40:42 . 2007-10-16 18:52:36 -------- d-----w- C:\Program Files\LogMeIn

2010-09-21 17:35:24 . 2010-09-21 17:35:24 63488 ----a-w- C:\Documents and Settings\PCrowther\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-09-21 17:35:23 . 2010-09-21 17:35:23 52224 ----a-w- C:\Documents and Settings\PCrowther\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-09-21 17:35:21 . 2010-09-21 17:35:21 117760 ----a-w- C:\Documents and Settings\PCrowther\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-09-21 16:01:37 . 2009-05-27 19:00:57 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware

2010-09-16 20:37:40 . 2007-04-30 16:00:28 3222 ----a-w- C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys

2010-08-26 14:24:44 . 2010-03-04 14:38:45 -------- d-----w- C:\Program Files\QuickTime

2010-08-24 16:48:54 . 2008-09-23 19:58:44 -------- d-----w- C:\Program Files\Yahoo!

2010-08-23 16:02:06 . 2007-05-10 17:16:53 68736 -c--a-w- C:\Documents and Settings\PCrowther\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 16:02:01 . 2007-11-12 22:16:01 -------- d-----w- C:\Documents and Settings\PCrowther\Application Data\Apple Computer

2010-08-19 19:28:08 . 2010-05-05 19:04:12 -------- d-----w- C:\Program Files\Common Files\Roxio Shared

2010-08-19 19:28:04 . 2007-03-07 09:07:07 -------- d-----w- C:\Program Files\Common Files\InstallShield

2010-08-19 19:14:33 . 2010-05-05 18:59:31 -------- d-----w- C:\Program Files\Research In Motion

2010-08-19 14:15:59 . 2010-05-05 19:10:11 256 ----a-w- C:\WINDOWS\system32\pool.bin

2010-08-17 13:17:06 . 2006-02-28 12:00:00 58880 ----a-w- C:\WINDOWS\system32\spoolsv.exe

2010-08-05 14:43:16 . 2010-08-05 14:41:57 -------- d-----w- C:\Program Files\iTunes

2010-08-05 14:43:16 . 2010-08-05 14:41:57 -------- d-----w- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-08-05 14:42:22 . 2010-08-05 14:42:22 -------- d-----w- C:\Program Files\iPod

2010-08-05 14:42:16 . 2007-11-12 22:15:08 -------- d-----w- C:\Program Files\Common Files\Apple

2010-08-05 14:23:08 . 2010-08-05 14:23:07 -------- d-----w- C:\Program Files\Bonjour

2010-08-05 14:13:19 . 2010-08-05 14:13:19 73000 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-08-05 14:11:16 . 2008-03-24 21:43:48 -------- d-----w- C:\Program Files\Safari

2010-08-05 14:09:07 . 2010-08-05 14:09:07 72488 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

2010-08-02 15:59:22 . 2007-05-01 19:39:31 -------- d-----w- C:\Program Files\Timeslips

2010-07-22 15:49:15 . 2006-02-28 12:00:00 590848 ----a-w- C:\WINDOWS\system32\rpcrt4.dll

2010-07-22 05:57:20 . 2009-04-15 18:19:22 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll

2010-07-20 17:36:41 . 2010-04-28 21:14:50 20 ---h--w- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT

2010-06-30 20:25:57 . 2010-04-28 21:09:52 20 ---h--w- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT

2010-06-30 12:31:35 . 2006-02-28 12:00:00 149504 ----a-w- C:\WINDOWS\system32\schannel.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TSTimer"="C:\Program Files\Timeslips\TSTimer.exe" [2006-02-01 22:52:24 2408448]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 16:20:20 2424560]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12:16 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 14:20:58 63048]

"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-11 13:59:13 177392]

"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-11 14:12:30 226640]

"Nikon Transfer Monitor"="C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 18:06:50 485208]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-07-21 19:53:04 141608]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-08-10 09:15:54 421888]

C:\Documents and Settings\PCrowther\Start Menu\Programs\Startup\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 17:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21:41 548352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 15:30:22 87424 ----a-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"RequireSignedAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\Activity Monitor\\swatcher.exe"=

"C:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"C:\\WINDOWS\\system32\\hpbspsvr.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe"= C:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe

"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25:48 PM 12872]

R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41:30 PM 67656]

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21:00 AM 12856]

R2 QuickBooksDB17;QuickBooksDB17;C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-09-16 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34:12 . 2008-07-30 17:34:12]

2010-09-22 C:\WINDOWS\Tasks\User_Feed_Synchronization-{997F480B-F5DA-4112-93E0-A95D8A0E8ADF}.job

- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 16:58:32 . 2009-03-08 08:31:54]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

LSP: C:\WINDOWS\system32\VetRedir.dll

Trusted Zone: blogspot.com\ionarts

Trusted Zone: westlaw.com

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

HKCU-Run-ISUSPM - C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

HKCU-Run-qoppmjaudio - mliife.dll

HKCU-Run-hgfgffaudio - vttsss.dll

HKLM-Run-jkhfecsys - gebyab.dll

HKLM-Run-iiiiifaudio - mliife.dll

HKLM-Run-geedaaaudio - vttsss.dll

HKU-Default-Run-khigfcaudio - urpnmn.dll

HKU-Default-Run-wvtuussys - gebyab.dll

HKU-Default-Run-cbyvuuaudio - ljgfdb.dll

HKU-Default-Run-nnklmmaudio - awusqq.dll

HKU-Default-Run-ddbaxxaudio - urstsp.dll

HKU-Default-Run-xxxwwuaudio - mliife.dll

HKU-Default-Run-yaxvtuaudio - vttsss.dll

Link to post
Share on other sites

I posted the OTL.log and the Combofix log. I disabled as much of the CA Security Suite as possible, but could not access the snooze feature in safe mode. I noticed that real time scanning was disabled, but the on access scanning was still enabled. When COmbofix rebooted, it was not in safe mode, and error messages appeared, stating that there was an error loading vtsss.dll, vttsss.dll, mlife.dll, and gebyab.dll because the "specified module could not be found".

Do I need to run Combofix again? At this point, should I go back to safe mode?

Link to post
Share on other sites

Ran ComboFix again with CA Internet Security in snooze mode. The log file popped up much faster this time. Here is the second ComboFix log:

ComboFix 10-09-21.03 - PCrowther 09/22/2010 11:33:38.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.542 [GMT -4:00]

Running from: c:\documents and settings\PCrowther\Desktop\ComboFix.exe

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\PCrowther\GoToAssistDownloadHelper.exe

C:\Thumbs.db

c:\windows\system32\gebyab.dll

c:\windows\system32\mliife.dll

c:\windows\system32\tmp.reg

c:\windows\system32\vttsss.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-22 to 2010-09-22 )))))))))))))))))))))))))))))))

.

2010-09-22 14:28 . 2010-09-22 14:28 -------- d-----w- C:\_OTL

2010-09-21 17:35 . 2010-09-21 17:35 63488 ----a-w- c:\documents and settings\PCrowther\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll

2010-09-21 17:35 . 2010-09-21 17:35 52224 ----a-w- c:\documents and settings\PCrowther\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

2010-09-21 17:35 . 2010-09-21 17:35 117760 ----a-w- c:\documents and settings\PCrowther\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2010-09-21 17:34 . 2010-09-21 17:34 -------- d-----w- c:\documents and settings\PCrowther\Application Data\SUPERAntiSpyware.com

2010-09-21 17:34 . 2010-09-21 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-09-21 17:34 . 2010-09-21 17:34 -------- d-----w- c:\program files\SUPERAntiSpyware

2010-09-21 15:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-21 15:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-22 13:40 . 2007-10-16 18:52 -------- d-----w- c:\program files\LogMeIn

2010-09-21 16:01 . 2009-05-27 19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-16 20:37 . 2007-04-30 16:00 3222 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2007\qbbackup.sys

2010-08-26 14:24 . 2010-03-04 14:38 -------- d-----w- c:\program files\QuickTime

2010-08-24 16:48 . 2008-09-23 19:58 -------- d-----w- c:\program files\Yahoo!

2010-08-23 16:02 . 2007-05-10 17:16 68736 -c--a-w- c:\documents and settings\PCrowther\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 16:02 . 2007-11-12 22:16 -------- d-----w- c:\documents and settings\PCrowther\Application Data\Apple Computer

2010-08-19 19:28 . 2010-05-05 19:04 -------- d-----w- c:\program files\Common Files\Roxio Shared

2010-08-19 19:28 . 2007-03-07 09:07 -------- d-----w- c:\program files\Common Files\InstallShield

2010-08-19 19:14 . 2010-05-05 18:59 -------- d-----w- c:\program files\Research In Motion

2010-08-19 14:15 . 2010-05-05 19:10 256 ----a-w- c:\windows\system32\pool.bin

2010-08-17 13:17 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-05 14:43 . 2010-08-05 14:41 -------- d-----w- c:\program files\iTunes

2010-08-05 14:43 . 2010-08-05 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}

2010-08-05 14:42 . 2010-08-05 14:42 -------- d-----w- c:\program files\iPod

2010-08-05 14:42 . 2007-11-12 22:15 -------- d-----w- c:\program files\Common Files\Apple

2010-08-05 14:23 . 2010-08-05 14:23 -------- d-----w- c:\program files\Bonjour

2010-08-05 14:13 . 2010-08-05 14:13 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-08-05 14:11 . 2008-03-24 21:43 -------- d-----w- c:\program files\Safari

2010-08-05 14:09 . 2010-08-05 14:09 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

2010-08-02 15:59 . 2007-05-01 19:39 -------- d-----w- c:\program files\Timeslips

2010-07-22 15:49 . 2006-02-28 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-15 18:19 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-07-20 17:36 . 2010-04-28 21:14 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT

2010-06-30 20:25 . 2010-04-28 21:09 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT

2010-06-30 12:31 . 2006-02-28 12:00 149504 ----a-w- c:\windows\system32\schannel.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TSTimer"="c:\program files\Timeslips\TSTimer.exe" [2006-02-01 2408448]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [bU]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]

"qoppmjaudio"="mliife.dll" [bU]

"hgfgffaudio"="vttsss.dll" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-09-12 63048]

"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2009-08-11 177392]

"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2010-06-11 226640]

"Nikon Transfer Monitor"="c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe" [2008-09-30 485208]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-10 421888]

"jkhfecsys"="gebyab.dll" [bU]

"iiiiifaudio"="mliife.dll" [bU]

"geedaaaudio"="vttsss.dll" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"khigfcaudio"="urpnmn.dll" [bU]

"wvtuussys"="gebyab.dll" [bU]

"cbyvuuaudio"="ljgfdb.dll" [bU]

"nnklmmaudio"="awusqq.dll" [bU]

"ddbaxxaudio"="urstsp.dll" [bU]

"xxxwwuaudio"="mliife.dll" [bU]

"yaxvtuaudio"="vttsss.dll" [bU]

c:\documents and settings\PCrowther\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2010-06-09 15:30 87424 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"RequireSignedAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Activity Monitor\\swatcher.exe"=

"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=

"c:\\WINDOWS\\system32\\hpbspsvr.exe"=

"c:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe"= c:\\Program Files\\Hewlett-Packard\\HP Easy Printer Care\\HPPRun.exe

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [9/12/2007 10:21 AM 12856]

S2 QuickBooksDB17;QuickBooksDB17;c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 --> c:\progra~1\Intuit\QUICKB~1\QBDBMgrN.exe -hvQuickBooksDB17 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

Contents of the 'Scheduled Tasks' folder

2010-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-22 c:\windows\Tasks\User_Feed_Synchronization-{997F480B-F5DA-4112-93E0-A95D8A0E8ADF}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"

LSP: c:\windows\system32\VetRedir.dll

Trusted Zone: blogspot.com\ionarts

Trusted Zone: westlaw.com

DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-22 11:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"NoChange"="1"

"Installed"="1"

@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

@=""

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(780)

c:\windows\system32\VetRedir.dll

c:\windows\system32\ISafeIf.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(160)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-09-22 11:39:12

ComboFix-quarantined-files.txt 2010-09-22 15:39

Pre-Run: 137,174,097,920 bytes free

Post-Run: 137,163,341,824 bytes free

- - End Of File - - 8C87645959B37A4B42EDD4B4748988AD

Link to post
Share on other sites

Please do not run anything until instructed as it can hinder the removal process.

The reason for the errors is normal it is because the files were removed but not the entries in the registry.

The below will remove the remnants.

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :Reg
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "qoppmjaudio"=-
    "hgfgffaudio"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "jkhfecsys"=-
    "iiiiifaudio"=-
    "geedaaaudio"=-
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "khigfcaudio"=-
    "wvtuussys"=-
    "cbyvuuaudio"=-
    "nnklmmaudio"=-
    "ddbaxxaudio"=-
    "xxxwwuaudio"=-
    "yaxvtuaudio"=-

    :Commands
    [emptytemp]


  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • It will produce a log for you on reboot, please post that log in your next reply.

================================Malwarebytes' Anti-Malware=================================

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

================================Online scan=================================

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

I ran Malwarebytes and OTL in safe mode. The logs are below. I updated Malwarebytes first without any errors. After it disinfected the computer, I ran it again and nothing came up. I am still in safe mode in case you want me to do something else.

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4672

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/22/2010 1:40:29 PM

mbam-log-2010-09-22 (13-40-29).txt

Scan type: Full scan (C:\|)

Objects scanned: 230697

Time elapsed: 1 hour(s), 17 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 19

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoppmjaudio (Trojan.Agent) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgfgffaudio (Trojan.Agent) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jkhfecsys (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iiiiifaudio (Trojan.Vundo) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geedaaaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigfcaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvtuussys (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbyvuuaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnklmmaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddbaxxaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxxwwuaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvtuaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigfcaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvtuussys (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbyvuuaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnklmmaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddbaxxaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxxwwuaudio (Trojan.Vundo) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvtuaudio (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\PCrowther\Desktop\RKUnhookerLE.EXE (Trojan.Dropper.PGen) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gebyab.dll.vir (Trojan.Hiloti.Gen) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mliife.dll.vir (Trojan.Hiloti.Gen) -> No action taken.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vttsss.dll.vir (Trojan.Hiloti.Gen) -> No action taken.

C:\_OTL\MovedFiles\09222010_102810\C_Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> No action taken.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\awusqq.dll (Trojan.Hiloti) -> No action taken.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\gebyab.dll (Trojan.Hiloti.Gen) -> No action taken.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\ljgfdb.dll (Trojan.Hiloti) -> No action taken.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\urpnmn.dll (Trojan.Hiloti) -> No action taken.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\urstsp.dll (Trojan.Hiloti) -> No action taken.

OTL Log:

All processes killed

========== REGISTRY ==========

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\qoppmjaudio not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\hgfgffaudio not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\jkhfecsys not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\iiiiifaudio not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\geedaaaudio not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\khigfcaudio not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\wvtuussys not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\cbyvuuaudio not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\nnklmmaudio not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\ddbaxxaudio not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\xxxwwuaudio not found.

Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\yaxvtuaudio not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: PCrowther

->Temp folder emptied: 1880816 bytes

->Temporary Internet Files folder emptied: 15084204 bytes

->Java cache emptied: 0 bytes

->Apple Safari cache emptied: 0 bytes

->Flash cache emptied: 1270 bytes

User: QBDataServiceUser17

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

User: quickbooks

User: RSDesign

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 483 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 16.00 mb

OTL by OldTimer - Version 3.2.14.1 log created on 09222010_142038

Files\Folders moved on Reboot...

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF1BE.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF1FB.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF342.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF370.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF48A.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF49B.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF60C.tmp not found!

File\Folder C:\Documents and Settings\PCrowther\Local Settings\Temp\~DFF64A.tmp not found!

C:\Documents and Settings\PCrowther\Local Settings\Temporary Internet Files\Content.IE5\TF4PV5MP\index[2].htm moved successfully.

C:\Documents and Settings\PCrowther\Local Settings\Temporary Internet Files\Content.IE5\ISC513OH\iframe[2].htm moved successfully.

Registry entries deleted on Reboot...

Link to post
Share on other sites

I did remove them. The log in my previous post from the second Malwarebytes scan (sorry). The results of the first scan showing that the infected items were quarantined an removed is below. Interestingly, I am in the process of running the ESET Online Scanner, and it has already picked up 6 infected items. The scan is only 33% complete. I will post the log when completed.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4672

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/22/2010 1:40:49 PM

mbam-log-2010-09-22 (13-40-49).txt

Scan type: Full scan (C:\|)

Objects scanned: 230697

Time elapsed: 1 hour(s), 17 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 19

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qoppmjaudio (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hgfgffaudio (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jkhfecsys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iiiiifaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\geedaaaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigfcaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvtuussys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbyvuuaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnklmmaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddbaxxaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxxwwuaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvtuaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\khigfcaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wvtuussys (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cbyvuuaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nnklmmaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddbaxxaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xxxwwuaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yaxvtuaudio (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\PCrowther\Desktop\RKUnhookerLE.EXE (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\gebyab.dll.vir (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mliife.dll.vir (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vttsss.dll.vir (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\09222010_102810\C_Documents and Settings\PCrowther\Application Data\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\awusqq.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\gebyab.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\ljgfdb.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\urpnmn.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

C:\_OTL\MovedFiles\09222010_102810\C_WINDOWS\system32\urstsp.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Interestingly, I am in the process of running the ESET Online Scanner, and it has already picked up 6 infected items. The scan is only 33% complete. I will post the log when completed.
Ok it is more than likely picking up this we have removed already.

Post when done and we will continue. :P

Link to post
Share on other sites

ESET Scan

C:\Backup\Data\John\eb30setup.exe probably a variant of Win32/Urlbot.NAM trojan cleaned by deleting - quarantined

C:\Backup\Data\RSDesign\Activity Monitor\activmon.zip multiple threats deleted - quarantined

C:\Backup\Data\RSDesign\Activity Monitor\activmon39full.zip probably a variant of Win32/Agent.IFSEBTQ trojan deleted - quarantined

C:\Backup\Data\RSDesign\Activity Monitor\amagent39.exe multiple threats deleted - quarantined

C:\Backup\Data\RSDesign\Activity Monitor\amonitor39.exe multiple threats deleted - quarantined

C:\Backup\Data\RSDesign\Activity Monitor\amonitor39f.exe multiple threats deleted - quarantined

C:\Documents and Settings\PCrowther\Local Settings\Application Data\Identities\{A083F69F-6654-41FB-8E87-AC983E5FC4E3}\Microsoft\Outlook Express\Deleted Items.dbx multiple threats unable to clean

C:\Documents and Settings\PCrowther\Local Settings\Application Data\Identities\{A083F69F-6654-41FB-8E87-AC983E5FC4E3}\Microsoft\Outlook Express\Inbox.dbx HTML/ScrInject.B.Gen virus unable to clean

C:\Documents and Settings\PCrowther\Local Settings\Application Data\Identities\{A083F69F-6654-41FB-8E87-AC983E5FC4E3}\Microsoft\Outlook Express\Sent Items.dbx JS/Redirector.NAV trojan unable to clean

C:\Program Files\Activity Monitor\amagent39.exe multiple threats deleted - quarantined

C:\Program Files\Activity Monitor\dconsole.dll probably a variant of Win32/Agent.GYBFUSR trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{489A8E0D-CAB0-4C31-AF4E-436F98234A01}\RP1\A0000231.exe probably a variant of Win32/Urlbot.NAM trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{489A8E0D-CAB0-4C31-AF4E-436F98234A01}\RP1\A0000232.exe multiple threats deleted - quarantined

C:\System Volume Information\_restore{489A8E0D-CAB0-4C31-AF4E-436F98234A01}\RP1\A0000233.exe multiple threats deleted - quarantined

C:\System Volume Information\_restore{489A8E0D-CAB0-4C31-AF4E-436F98234A01}\RP1\A0000234.exe multiple threats deleted - quarantined

C:\System Volume Information\_restore{489A8E0D-CAB0-4C31-AF4E-436F98234A01}\RP1\A0000237.exe multiple threats deleted - quarantined

C:\System Volume Information\_restore{489A8E0D-CAB0-4C31-AF4E-436F98234A01}\RP1\A0000238.dll probably a variant of Win32/Agent.GYBFUSR trojan cleaned by deleting - quarantined

C:\_OTL\MovedFiles\09222010_102810\C_Documents and Settings\PCrowther\Local Settings\Temp\dwm.exe Win32/Agent.RQD trojan cleaned by deleting - quarantined

Link to post
Share on other sites

Do you need to run more programs?

I see no need to do so but you can do what you want but it would be a good idea to remove all that we have cleaned first off before doing anymore scans so at least wait until I say you are clean before running anymore scanners.

First we need to address these items.

C:\Documents and Settings\PCrowther\Local Settings\Application Data\Identities\{A083F69F-6654-41FB-8E87-AC983E5FC4E3}\Microsoft\Outlook Express\Deleted Items.dbx	multiple threats unable to clean
C:\Documents and Settings\PCrowther\Local Settings\Application Data\Identities\{A083F69F-6654-41FB-8E87-AC983E5FC4E3}\Microsoft\Outlook Express\Inbox.dbx HTML/ScrInject.B.Gen virus unable to clean
C:\Documents and Settings\PCrowther\Local Settings\Application Data\Identities\{A083F69F-6654-41FB-8E87-AC983E5FC4E3}\Microsoft\Outlook Express\Sent Items.dbx JS/Redirector.NAV trojan unable to clean

Each of these are in outlook express.

Empty the deleted items box and the sent items box.

Also go through the the inbox and remove any items that appear to come from unknown sources or that may have any attachments from someone you do not know.

Once that is done those threats will be gone.

Then please do the following:

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

Sorry for the lack of clarity - I didn't mean run other scanning programs; I meant can I use my computer for work now -- Quickbooks, etc? Or do I run the risk of screwing up more stuff?

As far a Outlook, I emptied all the files in the deleted items and sent items. I emptied almost all of the inbox just to be on the safe side. I also ran OTL. The log is below:

OTL logfile created on: 9/23/2010 12:07:58 PM - Run 2

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\PCrowther\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 573.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 127.67 Gb Free Space | 85.66% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive N: | 149.04 Gb Total Space | 107.93 Gb Free Space | 72.42% Space Free | Partition Type: NTFS

Computer Name: BL-01

Current User Name: PCrowther

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\PCrowther\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe (CA, Inc.)

PRC - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe (CA, Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

PRC - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc.)

PRC - C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)

PRC - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()

PRC - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

PRC - C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe (iAnywhere Solutions, Inc.)

PRC - C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

PRC - C:\Program Files\Timeslips\TSTimer.exe (Sage Software SB, Inc.)

PRC - C:\WINDOWS\system32\hpbhksrv.exe (Hewlett-Packard Company)

PRC - C:\WINDOWS\system32\hpb2ksrv.exe (Hewlett-Packard Company)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\PCrowther\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (RoxLiveShare9) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe File not found

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found

SRV - (VETMSGNT) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe (CA, Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)

SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

SRV - (CaCCProvSP) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc.)

SRV - (FlipShare Service) -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()

SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

SRV - (CAISafe) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe (Computer Associates International, Inc.)

SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)

SRV - (QuickBooksDB17) -- C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe (iAnywhere Solutions, Inc.)

SRV - (STacSV) -- C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

SRV - (HP Status Print) -- C:\WINDOWS\system32\hpbhksrv.exe (Hewlett-Packard Company)

SRV - (HP Status) -- C:\WINDOWS\system32\hpb2ksrv.exe (Hewlett-Packard Company)

========== Driver Services (SafeList) ==========

DRV - (RimUsb) -- C:\WINDOWS\System32\Drivers\RimUsb.sys File not found

DRV - (catchme) -- C:\DOCUME~1\PCROWT~1\LOCALS~1\Temp\catchme.sys File not found

DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)

DRV - (VETEFILE) -- C:\WINDOWS\System32\drivers\vetefile.sys (Computer Associates International, Inc.)

DRV - (VETEBOOT) -- C:\WINDOWS\System32\drivers\veteboot.sys (Computer Associates International, Inc.)

DRV - (VETMONNT) -- C:\WINDOWS\System32\drivers\vetmonnt.sys (Computer Associates International, Inc.)

DRV - (VET-FILT) -- C:\WINDOWS\System32\drivers\vet-filt.sys (Computer Associates International, Inc.)

DRV - (VETFDDNT) -- C:\WINDOWS\System32\drivers\vetfddnt.sys (Computer Associates International, Inc.)

DRV - (VET-REC) -- C:\WINDOWS\System32\drivers\vet-rec.sys (Computer Associates International, Inc.)

DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)

DRV - (LMIInfo) -- C:\Program Files\LogMeIn\x86\rainfo.sys (LogMeIn, Inc.)

DRV - (timounter) -- C:\WINDOWS\system32\DRIVERS\timntr.sys (Acronis)

DRV - (snapman) -- C:\WINDOWS\system32\DRIVERS\snapman.sys (Acronis)

DRV - (tifsfilter) -- C:\WINDOWS\system32\drivers\tifsfilt.sys (Acronis)

DRV - (NTIDrvr) -- C:\WINDOWS\system32\drivers\NTIDrvr.sys (NewTech Infosystems, Inc.)

DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)

DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)

DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)

DRV - (UBHelper) -- C:\WINDOWS\System32\drivers\UBHelper.sys ()

========== Standard Registry (All) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

IE - HKCU\..\URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\system32\ieframe.dll (Microsoft Corporation)

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/22 10:34:03 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 03:00:28 | 000,000,000 | ---D | M]

O1 HOSTS File: ([2010/09/22 11:02:27 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (LexisNexis Practice Management Toolbar) - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\TMW8\tmietb.dll (LexisNexis, a division of Reed Elsevier Inc. )

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll File not found

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)

O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)

O2 - BHO: (Java Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (LexisNexis Practice Management Toolbar) - {00F17ECE-12DA-46A0-B541-BDE4EB7DF027} - C:\TMW8\tmietb.dll (LexisNexis, a division of Reed Elsevier Inc. )

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.0988.2\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found

O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll File not found

O4 - HKLM..\Run: [CAVRID] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe (CA, Inc.)

O4 - HKLM..\Run: [cctray] C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)

O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)

O4 - HKLM..\Run: [LogMeIn GUI] C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)

O4 - HKLM..\Run: [Nikon Transfer Monitor] C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)

O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)

O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)

O4 - HKCU..\Run: [iSUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe File not found

O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O4 - HKCU..\Run: [TSTimer] C:\Program Files\Timeslips\TSTimer.exe (Sage Software SB, Inc.)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

O4 - Startup: C:\Documents and Settings\PCrowther\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LegalNoticeText =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LegalNoticeCaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\rsvpsp.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)

O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\VetRedir.dll (Computer Associates International, Inc.)

O15 - HKCU\..Trusted Domains: blogspot.com ([ionarts] https in Trusted sites)

O15 - HKCU\..Trusted Domains: westlaw.com ([]https in Trusted sites)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab (QuickTime Object)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/download/ipixx.cab (iPIX ActiveX Control)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} http://disney.go.com/pirates/online/testAc...OnlineGames.cab (Disney Online Games ActiveX Control)

O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB (Hewlett-Packard Printer Diagnostics)

O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab (HpProductDetection Class)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)

O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)

O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} http://www.ritzpix.com/net/Uploader/LPUploader57.cab (Image Uploader Control)

O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)

O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} http://livenj02.custhelp.com/7520-b289h/rnl/java/RntX.cab (Live Collaboration)

O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} http://www.disneyphotopass.com/software/ImageUploader4.cab (Image Uploader Control)

O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.11.cab? (Photo Upload Plugin Class)

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logmein.com/activex/ractrl.cab?lmi=100 (Performance Viewer Activex Control)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.10.10 10.1.10.1

O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\HPDCS {ba135f49-a12c-4e26-a2c4-6ea945999072} - C:\Program Files\Common Files\Hewlett-Packard\HP Device Communication Services\APP\hpdcsapp.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\hppfile {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\hppsam {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\hppzip {C4E2084B-ED27-4893-A43D-488CA3F370E2} - C:\Program Files\Hewlett-Packard\HP Easy Printer Care\HPPCtrls.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ipp - No CLSID value found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)

O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp - No CLSID value found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)

O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)

O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)

O18 - Protocol\Filter\Class Install Handler {32B533BB-EDAE-11d0-BD5A-00AA00B92AF1} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\deflate {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\gzip {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\lzdhtml {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/webviewhtml {733AC4CB-F1A4-11d0-B951-00A0C90312E1} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)

O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)

O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)

O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)

O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\system32\dimsntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\LMIinit: DllName - LMIinit.dll - C:\WINDOWS\System32\LMIinit.dll (LogMeIn, Inc.)

O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)

O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O20 - Winlogon\Notify\WgaLogon: DllName - WgaLogon.dll - C:\WINDOWS\System32\WgaLogon.dll (Microsoft Corporation)

O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)

O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)

O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)

O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)

O24 - Desktop WallPaper: C:\Documents and Settings\PCrowther\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O24 - Desktop BackupWallPaper: C:\Documents and Settings\PCrowther\Local Settings\Application Data\Microsoft\Wallpaper1.bmp

O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - Reg Error: Key error. File not found

O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)

O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)

O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)

O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2007/03/07 09:10:48 | 000,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = ComFile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/09/22 16:18:51 | 000,000,000 | ---D | C] -- C:\Program Files\ESET

[2010/09/22 14:20:47 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/09/22 11:39:13 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp

[2010/09/22 10:54:45 | 000,000,000 | RHSD | C] -- C:\cmdcons

[2010/09/22 10:52:34 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe

[2010/09/22 10:52:34 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe

[2010/09/22 10:52:34 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe

[2010/09/22 10:52:34 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe

[2010/09/22 10:52:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/09/22 10:38:32 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/09/22 10:28:10 | 000,000,000 | ---D | C] -- C:\_OTL

[2010/09/21 13:53:57 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\PCrowther\Desktop\OTL.exe

[2010/09/21 13:34:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2010/09/21 11:10:43 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2010/09/21 11:10:42 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2010/09/21 11:07:13 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\PCrowther\Desktop\mbam-setup-1.46.exe

[2009/08/27 12:23:43 | 000,118,867 | ---- | C] ( ) -- C:\WINDOWS\System32\DSLLK175.dll

========== Files - Modified Within 30 Days ==========

[2010/09/23 12:29:22 | 000,000,628 | ---- | M] () -- C:\WINDOWS\hpbafd.ini

[2010/09/23 10:35:57 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/09/23 10:33:29 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/09/23 10:33:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/09/22 23:35:58 | 004,980,736 | ---- | M] () -- C:\Documents and Settings\PCrowther\ntuser.dat

[2010/09/22 23:35:58 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\PCrowther\ntuser.ini

[2010/09/22 23:35:50 | 004,840,004 | -H-- | M] () -- C:\Documents and Settings\PCrowther\Local Settings\Application Data\IconCache.db

[2010/09/22 13:47:43 | 000,000,034 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\amlistx.dat

[2010/09/22 13:47:43 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\PCrowther\Application Data\amopn.dat

[2010/09/22 12:42:15 | 000,000,430 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{997F480B-F5DA-4112-93E0-A95D8A0E8ADF}.job

[2010/09/22 11:37:19 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2010/09/22 11:02:27 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/09/22 10:54:52 | 000,000,327 | RHS- | M] () -- C:\boot.ini

[2010/09/22 10:20:24 | 003,849,240 | R--- | M] () -- C:\Documents and Settings\PCrowther\Desktop\ComboFix.exe

[2010/09/21 13:53:59 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\PCrowther\Desktop\OTL.exe

[2010/09/21 12:01:35 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/09/21 11:10:01 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\PCrowther\Desktop\mbam-setup-1.46.exe

[2010/09/16 09:33:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/09/15 03:03:24 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[2010/09/02 14:50:13 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\PCrowther\Desktop\Microsoft Office Word 2003.lnk

[2010/08/24 12:48:57 | 000,259,840 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2010/09/22 13:47:43 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\amlistx.dat

[2010/09/22 13:47:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\PCrowther\Application Data\amopn.dat

[2010/09/22 10:54:52 | 000,000,211 | ---- | C] () -- C:\Boot.bak

[2010/09/22 10:54:47 | 000,260,272 | RHS- | C] () -- C:\cmldr

[2010/09/22 10:52:34 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe

[2010/09/22 10:52:34 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe

[2010/09/22 10:52:34 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe

[2010/09/22 10:52:34 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe

[2010/09/22 10:52:34 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe

[2010/09/22 10:38:01 | 003,849,240 | R--- | C] () -- C:\Documents and Settings\PCrowther\Desktop\ComboFix.exe

[2010/09/21 11:10:46 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/04/28 17:29:37 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ViewNX.INI

[2010/04/28 17:14:50 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Strings

[2010/04/28 17:14:50 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\PCrowther\Application Data\StatusSheet

[2010/04/28 17:14:50 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdw.DAT

[2010/04/28 17:14:50 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Synth Textures

[2010/04/28 17:09:52 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\String Comparison

[2010/04/28 17:09:52 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\PCrowther\Application Data\StartupItems

[2010/04/28 17:09:52 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Application Data\PKP_DLdu.DAT

[2010/04/28 17:09:52 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Application Data\Sync Services

[2010/03/01 15:18:16 | 000,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini

[2009/05/14 14:29:30 | 000,008,520 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll

[2008/06/19 23:00:56 | 000,181,248 | ---- | C] () -- C:\WINDOWS\System32\HPEPCEnm.dll

[2008/04/22 18:02:58 | 000,163,840 | ---- | C] () -- C:\WINDOWS\System32\hppatusg01.dll

[2008/04/22 18:02:02 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\HPDevEnm.dll

[2008/04/02 11:11:51 | 000,000,312 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log

[2008/02/19 02:33:34 | 000,446,352 | ---- | C] () -- C:\WINDOWS\System32\OpenQuicktimeLib.dll

[2008/02/06 14:28:23 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\PCrowther\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/12/07 11:31:02 | 000,099,712 | ---- | C] () -- C:\WINDOWS\HPBroker.dll

[2007/05/24 11:41:36 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\jfwapi.dll

[2007/05/13 19:58:44 | 000,098,304 | ---- | C] () -- C:\WINDOWS\System32\resourceGeneric.dll

[2007/05/09 17:16:19 | 000,000,022 | ---- | C] () -- C:\WINDOWS\hpjmonsv.ini

[2007/05/09 17:13:41 | 000,002,550 | ---- | C] () -- C:\WINDOWS\hpstatus.ini

[2007/05/01 15:40:56 | 000,000,448 | ---- | C] () -- C:\WINDOWS\TIMESLIP.INI

[2007/05/01 15:40:36 | 000,000,078 | ---- | C] () -- C:\WINDOWS\TSREMOTE.INI

[2007/05/01 15:40:25 | 000,244,984 | ---- | C] () -- C:\WINDOWS\System32\tutil32.dll

[2007/05/01 13:56:25 | 000,001,452 | ---- | C] () -- C:\WINDOWS\TMW80.INI

[2007/05/01 13:21:31 | 000,000,542 | ---- | C] () -- C:\WINDOWS\hpbafd.ini

[2007/03/07 12:39:08 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll

[2007/03/07 09:24:05 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIDBD32.dll

[2007/03/07 09:11:21 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll

[2007/03/07 09:09:20 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll

[2007/03/07 09:09:20 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll

[2007/03/07 09:09:20 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll

[2007/03/07 08:38:16 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll

[2007/03/07 05:10:45 | 000,192,512 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4624.dll

[2007/03/07 05:10:44 | 000,348,880 | R--- | C] () -- C:\WINDOWS\System32\igmedkrn.dll

[2007/03/06 17:32:08 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2004/12/17 18:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys

[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

[2001/12/26 17:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll

[2001/09/04 00:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll

[2001/07/30 17:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll

[2001/07/30 16:17:12 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

[2001/07/23 23:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3D69B4B5

< End of report >

Link to post
Share on other sites

Sorry for the lack of clarity - I didn't mean run other scanning programs; I meant can I use my computer for work now -- Quickbooks, etc? Or do I run the risk of screwing up more stuff?

As far a Outlook, I emptied all the files in the deleted items and sent items. I emptied almost all of the inbox just to be on the safe side. I also ran OTL. The log is below:

OTL logfile created on: 9/23/2010 12:07:58 PM - Run 2

OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\PCrowther\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 573.00 Mb Available Physical Memory | 57.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 86.00% Paging File free

Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 149.05 Gb Total Space | 127.67 Gb Free Space | 85.66% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive N: | 149.04 Gb Total Space | 107.93 Gb Free Space | 72.42% Space Free | Partition Type: NTFS

Computer Name: BL-01

Current User Name: PCrowther

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\PCrowther\Desktop\OTL.exe (OldTimer Tools)

PRC - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe (CA, Inc.)

PRC - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe (CA, Inc.)

PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

PRC - C:\Program Files\LogMeIn\x86\ramaint.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LMIGuardian.exe (LogMeIn, Inc.)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.)

PRC - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

PRC - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc.)

PRC - C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe (CA, Inc.)

PRC - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()

PRC - C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)

PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

PRC - C:\Program Files\LogMeIn\x86\LogMeInSystray.exe (LogMeIn, Inc.)

PRC - C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

PRC - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

PRC - C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe (iAnywhere Solutions, Inc.)

PRC - C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

PRC - C:\Program Files\Timeslips\TSTimer.exe (Sage Software SB, Inc.)

PRC - C:\WINDOWS\system32\hpbhksrv.exe (Hewlett-Packard Company)

PRC - C:\WINDOWS\system32\hpb2ksrv.exe (Hewlett-Packard Company)

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\PCrowther\Desktop\OTL.exe (OldTimer Tools)

MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (RoxLiveShare9) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe File not found

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found

SRV - (VETMSGNT) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe (CA, Inc.)

SRV - (Apple Mobile Device) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe (Apple Inc.)

SRV - (LMIMaint) -- C:\Program Files\LogMeIn\x86\RaMaint.exe (LogMeIn, Inc.)

SRV - (QBCFMonitorService) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe (Intuit)

SRV - (CaCCProvSP) -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe (CA, Inc.)

SRV - (FlipShare Service) -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe ()

SRV - (LogMeIn) -- C:\Program Files\LogMeIn\x86\LogMeIn.exe (LogMeIn, Inc.)

SRV - (CAISafe) -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe (Computer Associates International, Inc.)

SRV - (AcrSch2Svc) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (Acronis)

SRV - (QBFCService) -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe (Intuit Inc.)

SRV - (QuickBooksDB17) -- C:\Program Files\Intuit\QuickBooks 2007\QBDBMgrN.exe (iAnywhere Solutions, Inc.)

SRV - (STacSV) -- C:\WINDOWS\system32\stacsv.exe (SigmaTel, Inc.)

SRV - (HP Status Print) -- C:\WINDOWS\system32\hpbhksrv.exe (Hewlett-Packard Company)

SRV - (HP Status) -- C:\WINDOWS\system32\hpb2ksrv.exe (Hewlett-Packard Company)

========== Driver Services (SafeList) ==========

DRV - (RimUsb) -- C:\WINDOWS\System32\Drivers\RimUsb.sys File not found

DRV - (catchme) -- C:\DOCUME~1\PCROWT~1\LOCALS~1\Temp\catchme.sys File not found

DRV - (LMIRfsClientNP) -- C:\WINDOWS\System32\LMIRfsClientNP.dll (LogMeIn, Inc.)

DRV - (VETEFILE) -- C:\WINDOWS\System32\drivers\vetefile.sys (Computer Associates International, Inc.)

DRV - (VETEBOOT) -- C:\WINDOWS\System32\drivers\veteboot.sys (Computer Associates International, Inc.)

DRV - (VETMONNT) -- C:\WINDOWS\System32\drivers\vetmonnt.sys (Computer Associates International, Inc.)

DRV - (VET-FILT) -- C:\WINDOWS\System32\drivers\vet-filt.sys (Computer Associates International, Inc.)

DRV - (VETFDDNT) -- C:\WINDOWS\System32\drivers\vetfddnt.sys (Computer Associates International, Inc.)

DRV - (VET-REC) -- C:\WINDOWS\System32\drivers\vet-rec.sys (Computer Associates International, Inc.)

DRV - (LMIRfsDriver) -- C:\WINDOWS\system32\drivers\LMIRfsDriver.sys (LogMeIn, Inc.)

DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows

Link to post
Share on other sites

Yes you can resume normal functions with the system after running this below fix.

=========

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    :OTL
    [2010/09/22 13:47:43 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\amlistx.dat
    [2010/09/22 13:47:43 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\PCrowther\Application Data\amopn.dat


  • Then click the Run Fix button at the top
  • Let the program run unhindered,when it is done it will say "Fix Complete press ok to open log"
  • Please post that log in your next reply.

================================Follow up scan=================================

  • Double click on OTL to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open one notepad window. OTL.Txt a This is saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.