rsvette12 Posted November 19, 2008 ID:35555 Share Posted November 19, 2008 Hi:I have a bit of a problem, when malwarebytes finds this trojan it says it took care of it but after I restart the computer it comes back, I have manually deleted the reference to this crap in my reg and found nothing in the windows folders that I could see, but still comes back, any help would be great, thank you. Regards, Rich Link to post Share on other sites More sharing options...
JeanInMontana Posted November 19, 2008 ID:35598 Share Posted November 19, 2008 Hi there rsvette12, and welcome to Malwarebytes.Make sure your running as an administrator on the machine. Allow email from Malwarebytes.org and set your preferences in the User Control Panel to email notifications for replies to your topics. This ensures you make prompt replies back and we get you cleaned in the fastest way possible.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.If you haven't already, please get these programs, update and run a complete scan removing all items found.Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Open SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode.Click on the Tools section and then Resident.You will see two items.1. Resident "SD helper" (Internet Explorer bad download blocker.) active2. Resident "Tea Timer" (Protection of over-all system settings.) active.Uncheck number 2..Leave number 1 checked always.You can enable Tea Timer again if you wish once all special fixes have been done.Please run a quick scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply.Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.Post the logs from the Panda and MBAM scans please, along with a log from this program HiJack This! You will post three logs. 1. MBAM scan. 2. Panda Active Scan. 3. HiJack This scan. Please run and post the scans in this order. You will finish the MBAM first so go ahead and post that log, then move on to Panda and so forth.I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
rsvette12 Posted November 20, 2008 Author ID:35655 Share Posted November 20, 2008 Hi:Thank you for getting back to me appreciate it, here is 2 of the 3 logs, panda keeps crashing sorry hope these help, I have spywaredoctor anti/virus/malware there registry mechanic, malwarebytes spybot, nothing can get rid of this error message, I have deleted all ref. to it in normal mode and safe mode, it still comes back, unbelievable anyway I am running xp pro service pack 3 all updates, I give up your my last hope, hate to rebuild this, have also notice antiviruspro 2009 trying to get in a lot to, thank you.Regards, RichMalwarebytes' Anti-Malware 1.30Database version: 1410Windows 5.1.2600 Service Pack 3, v.326411/19/2008 7:05:23 PMmbam-log-2008-11-19 (19-05-19).txtScan type: Quick ScanObjects scanned: 56545Time elapsed: 5 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 2Registry Keys Infected: 3Registry Values Infected: 5Registry Data Items Infected: 2Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\kerojade.dll (Trojan.Vundo.H) -> No action taken.c:\WINDOWS\system32\zifewiba.dll (Trojan.BHO) -> No action taken.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d86a026c (Trojan.Vundo.H) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdb5931f0 (Trojan.Agent) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jozegebeko (Trojan.Agent) -> No action taken.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\zifewiba.dll -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\zifewiba.dll -> No action taken.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\kerojade.dll (Trojan.Vundo.H) -> No action taken.C:\WINDOWS\system32\edajorek.ini (Trojan.Vundo.H) -> No action taken.c:\WINDOWS\system32\zifewiba.dll (Trojan.BHO) -> No action taken.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:28:42 PM, on 11/19/2008Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\Shared Files\Module Loader\DLLML.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\SyncroSoft\Pos\H2O\cledx.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Spyware Doctor\pctsTray.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\Registry Mechanic\RegMech.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\MOTU\Audio\MFWAKeys.exeC:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\nHancer\nHancerService.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\system32\WTablet\Pen_TabletUser.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Internet Explorer\iexplore.exe\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {50c21409-77a3-4b58-92b3-d5344cd391ae} - C:\WINDOWS\system32\kiratero.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [jozegebeko] Rundll32.exe "C:\WINDOWS\system32\soziredo.dll",sO4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /HO4 - HKUS\S-1-5-19\..\Run: [jozegebeko] Rundll32.exe "C:\WINDOWS\system32\soziredo.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [jozegebeko] Rundll32.exe "C:\WINDOWS\system32\soziredo.dll",s (User 'NETWORK SERVICE')O4 - Global Startup: MOTU Pedal Handler.lnk = C:\Program Files\MOTU\Audio\MFWAKeys.exeO4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1224845859562O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cabO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cabO20 - AppInit_DLLs: karna.dats wizard C:\WINDOWS\system32\jahasike.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: digiSPTIService - Unknown owner - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe (file missing)O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: nHancer Support (nHancer) - KSE - Kornd Link to post Share on other sites More sharing options...
JeanInMontana Posted November 21, 2008 ID:35784 Share Posted November 21, 2008 OK skip Panda, your not taking action with MBAM. You must remove the items it finds. Update MBAM and quick scan again, be sure to take action, post that log and a new HJT log. Link to post Share on other sites More sharing options...
rsvette12 Posted November 21, 2008 Author ID:35797 Share Posted November 21, 2008 Hi Jean:Did what you asked and still have the problem, thank you for your time one question do I delete the quarantined items or leave them ? here is the latest logs, still have the original screenshot message posted above, it just seems to be hidden somewhere prob under antoher name, not sure, thank you.Malwarebytes' Anti-Malware 1.30Database version: 1414Windows 5.1.2600 Service Pack 3, v.326411/20/2008 7:51:05 PMmbam-log-2008-11-20 (19-51-05).txtScan type: Quick ScanObjects scanned: 47650Time elapsed: 3 minute(s), 35 second(s)Memory Processes Infected: 0Memory Modules Infected: 2Registry Keys Infected: 3Registry Values Infected: 5Registry Data Items Infected: 2Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\fonemike.dll (Trojan.Vundo.H) -> Delete on reboot.c:\WINDOWS\system32\newuwiyo.dll (Trojan.BHO) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d86a026c (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdb5931f0 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jozegebeko (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\newuwiyo.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\newuwiyo.dll -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\fonemike.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\ekimenof.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lehelojo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\ojolehel.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.c:\WINDOWS\system32\newuwiyo.dll (Trojan.BHO) -> Delete on reboot.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:53:34 PM, on 11/20/2008Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.3264)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\Shared Files\Module Loader\DLLML.exeC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\SyncroSoft\Pos\H2O\cledx.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Spyware Doctor\pctsTray.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Registry Mechanic\RegMech.exeC:\WINDOWS\SYSTEM32\CTXFISPI.EXEC:\Program Files\MOTU\Audio\MFWAKeys.exeC:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\nHancer\nHancerService.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exeC:\Program Files\Spyware Doctor\pctsAuxs.exeC:\Program Files\Spyware Doctor\pctsSvc.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\system32\WTablet\Pen_TabletUser.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: (no name) - {50c21409-77a3-4b58-92b3-d5344cd391ae} - C:\WINDOWS\system32\kiratero.dll (file missing)O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXEO4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"O4 - HKLM\..\Run: [H2O] "C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe"O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXEO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDEO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"O4 - HKLM\..\Run: [jozegebeko] Rundll32.exe "C:\WINDOWS\system32\soziredo.dll",sO4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /HO4 - HKUS\S-1-5-19\..\Run: [jozegebeko] Rundll32.exe "C:\WINDOWS\system32\soziredo.dll",s (User 'LOCAL SERVICE')O4 - Global Startup: MOTU Pedal Handler.lnk = C:\Program Files\MOTU\Audio\MFWAKeys.exeO4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cabO16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1224845859562O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cabO16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cabO20 - AppInit_DLLs: karna.dats wizard C:\WINDOWS\system32\jahasike.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exeO23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exeO23 - Service: digiSPTIService - Unknown owner - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe (file missing)O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: nHancer Support (nHancer) - KSE - Kornd Link to post Share on other sites More sharing options...
JeanInMontana Posted November 21, 2008 ID:35800 Share Posted November 21, 2008 When the log says delete on reboot as it does for several items in your MBAM log you must do that. Reboot the machine, quick scan again, post that log and a new HJT. Link to post Share on other sites More sharing options...
rsvette12 Posted November 21, 2008 Author ID:35808 Share Posted November 21, 2008 Truly appreciate your help but I have done the scan and the reboot at least 10 times and it keeps coming back after reboot, something is putting it back in after a reboot ? thank you.Regards, Rich Link to post Share on other sites More sharing options...
rsvette12 Posted November 21, 2008 Author ID:35918 Share Posted November 21, 2008 Any chance of some more help, thank you. Regards, Rich Link to post Share on other sites More sharing options...
JeanInMontana Posted November 21, 2008 ID:35948 Share Posted November 21, 2008 You need to do what I asked for. Update MBAM, run a quick scan. Reboot when it asks for that. Post the log and a new HJT log.Please find this file C:\WINDOWS\system32\jahasike.dll and attach it in a zipped folder here in a new topic you start, link back to your thread here in the HJT forum please. Link to post Share on other sites More sharing options...
rsvette12 Posted November 21, 2008 Author ID:35974 Share Posted November 21, 2008 Hi:Update MBAM are you talking about the program or the defenitions, I have done both and did a search for that file does not show up, I have show all hidden files on, so not sure whats next, thank you.Regards, Rich Link to post Share on other sites More sharing options...
rsvette12 Posted November 22, 2008 Author ID:36055 Share Posted November 22, 2008 Found the problem a file called: Runas.exe found in the windows system folder was the culprit took me a while but I found the peice of crap, hope this helps someone else, thank you.Regards, Rich Link to post Share on other sites More sharing options...
JeanInMontana Posted November 22, 2008 ID:36077 Share Posted November 22, 2008 You did what? Did you upload the file? Stuff in the Windows folder can be malware but it is your system. You need to know what your doing there, and that is why we test before we delete.When I say update MBAM, I mean click on the button that says UPDATE. It will update anything there is to update. You haven't shown me the logs I requested and I have no idea what you have done. I need you to do what is requested, and take no action on your own. Link to post Share on other sites More sharing options...
Recommended Posts