slyew Posted December 17, 2008 ID:40391 Share Posted December 17, 2008 Here is my Malwarebytes log:Malwarebytes' Anti-Malware 1.31Database version: 1456Windows 5.1.2600 Service Pack 212/16/2008 10:21:16 AMmbam-log-2008-12-16 (10-21-16).txtScan type: Full Scan (C:\|D:\|R:\|)Objects scanned: 232080Time elapsed: 45 minute(s), 46 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoyobukeno (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)*********************My Hijack this log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:43:59 PM, on 12/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} - C:\WINDOWS\system32\gelarijo.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [7cbe8ec6] rundll32.exe "C:\WINDOWS\system32\vivuyayo.dll",bO4 - HKLM\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",sO4 - HKLM\..\Run: [CPM7f8dbd5a] Rundll32.exe "C:\WINDOWS\system32\deyagehu.dll",aO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - AppInit_DLLs: c:\windows\system32\pinowoda.dll C:\WINDOWS\system32\gikosiha.dll C:\WINDOWS\system32\memezori.dll c:\windows\system32\deyagehu.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 6079 bytesIn advance, thanks guys/gals. Also, Ive been trying to do some research on the virus, but can you tell me the threat level of this one? Ive heard rumors of recording keystrokes, but not really sure...Steve Link to post Share on other sites More sharing options...
nosirrah Posted December 17, 2008 ID:40395 Share Posted December 17, 2008 Database version: 1456Your database is very far out of date . Link to post Share on other sites More sharing options...
slyew Posted December 18, 2008 Author ID:40525 Share Posted December 18, 2008 Your database is very far out of date .weird, I thought I just dl'd it last week. Thanks for the heads up... I'll do another install, scan, and repost. Link to post Share on other sites More sharing options...
slyew Posted December 18, 2008 Author ID:40541 Share Posted December 18, 2008 New scan:Malwarebytes' Anti-Malware 1.31Database version: 1512Windows 5.1.2600 Service Pack 212/17/2008 8:45:01 PMmbam-log-2008-12-17 (20-45-01).txtScan type: Quick ScanObjects scanned: 72582Time elapsed: 5 minute(s), 20 second(s)Memory Processes Infected: 0Memory Modules Infected: 6Registry Keys Infected: 6Registry Values Infected: 2Registry Data Items Infected: 5Folders Infected: 0Files Infected: 12Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:\WINDOWS\system32\memezori.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\noweripe.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\viyezoya.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\yujukumi.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\gelarijo.dll (Trojan.Vundo.H) -> Delete on reboot.c:\WINDOWS\system32\deyagehu.dll (Trojan.Vundo) -> Delete on reboot.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cbe8ec6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoyobukeno (Trojan.Vundo.H) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\memezori.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\memezori.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\memezori.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\viyezoya.dll -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\viyezoya.dll -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\noweripe.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\epirewon.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\vivuyayo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\oyayuviv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\yujukumi.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\viyezoya.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\gelarijo.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\memezori.dll (Trojan.Vundo.H) -> Delete on reboot.C:\WINDOWS\system32\rofulato.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\kozezupo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.C:\WINDOWS\system32\iiffEwxw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\deyagehu.dll (Trojan.Vundo) -> Delete on reboot.*** HIJACK LOGLogfile of Trend Micro HijackThis v2.0.2Scan saved at 8:46:11 PM, on 12/17/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\cidaemon.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO2 - BHO: (no name) - {a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} - C:\WINDOWS\system32\gelarijo.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [CPM7f8dbd5a] Rundll32.exe "c:\windows\system32\viyezoya.dll",aO4 - HKLM\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",sO4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'NETWORK SERVICE')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - AppInit_DLLs: c:\windows\system32\pinowoda.dll C:\WINDOWS\system32\gikosiha.dll c:\windows\system32\viyezoya.dll,C:\WINDOWS\system32\memezori.dllO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 6287 bytesThanks again. Link to post Share on other sites More sharing options...
slyew Posted December 22, 2008 Author ID:41298 Share Posted December 22, 2008 Any help would be greatly appreciated... thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 22, 2008 Root Admin ID:41324 Share Posted December 22, 2008 STEP 01Reconfigure Windows XP to show hidden files:To enable the viewing of Hidden files follow these steps: * Close all programs so that you are at your desktop. * Double-click on the My Computer icon. * Select the Tools menu and click Folder Options. * After the new window appears select the View tab. * Put a checkmark in the checkbox labeled Display the contents of system folders. * Under the Hidden files and folders section select the radio button labeled Show hidden files and folders. * Remove the checkmark from the checkbox labeled Hide file extensions for known file types. * Remove the checkmark from the checkbox labeled Hide protected operating system files. * Press the Apply button and then the OK button and exit My Computer. * Now your computer is configured to show all hidden files. STEP 02Start HJT and do a Scan only and put a check mark on the following itemsO20 - AppInit_DLLs: c:\windows\system32\pinowoda.dll C:\WINDOWS\system32\gikosiha.dll c:\windows\system32\viyezoya.dll,C:\WINDOWS\system32\memezori.dllThen click on "Fix checked"STEP 03Upload the following files to the site for review. Go here uploads.malwarebytes.org and browse and upload the following files if found.C:\WINDOWS\system32\gikosiha.dllc:\windows\system32\pinowoda.dllc:\windows\system32\viyezoya.dllC:\WINDOWS\system32\memezori.dllSTEP 04Start MBAM and go to the UPDATE tab and update the program and do a Quick Scan and fix anything found and reboot the computer.STEP 05Start HJT and do a Scan and save logSTEP 06Post back the MBAM and HJT logs Link to post Share on other sites More sharing options...
slyew Posted December 22, 2008 Author ID:41342 Share Posted December 22, 2008 Weird.. those files you told me to upload were no longer on my computer. But instead I found the following, which were created at around the times that I started having problems. I haven;t done anyhting else to my computer since posting my logs, so i dont know what happened. I uploaded from my win32 folder:sosazeri.dll.tmpharupeza.dll.tmpbekubonu.dllmolarulu.dll.tmpmenoyayo.dll.tmplakupija.dll.tmpHIJACK LOG:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:24:22 AM, on 12/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox3\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - HKUS\S-1-5-19\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'NETWORK SERVICE')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 5727 bytesMBAM LOG:Malwarebytes' Anti-Malware 1.31Database version: 1531Windows 5.1.2600 Service Pack 212/22/2008 1:19:21 AMmbam-log-2008-12-22 (01-19-21).txtScan type: Quick ScanObjects scanned: 72734Time elapsed: 5 minute(s), 58 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)****************Thanks again... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 22, 2008 Root Admin ID:41348 Share Posted December 22, 2008 Start HJT and do a Scan only and put a check mark on the following itemsO4 - HKUS\S-1-5-19\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'NETWORK SERVICE')Then click on "Fix checked"Quit all open browsers (including the one you're reading this with now) and programs.Then open My Computer and browse to and delete these files (let me know if they will not delete)from here C:\WINDOWS\SYSTEM32sosazeri.dll.tmpharupeza.dll.tmpbekubonu.dllmolarulu.dll.tmpmenoyayo.dll.tmplakupija.dll.tmpyujukumi.dllStart MBAM, update it and do another Quick Scan and fix anything found and reboot the ComputerAfter the restart run HJT and do a Scan and save log then post back both logs and let me know how the system is running. Link to post Share on other sites More sharing options...
slyew Posted December 23, 2008 Author ID:41680 Share Posted December 23, 2008 mbam logsMalwarebytes' Anti-Malware 1.31Database version: 1531Windows 5.1.2600 Service Pack 212/22/2008 11:12:56 PMmbam-log-2008-12-22 (23-12-56).txtScan type: Quick ScanObjects scanned: 72905Time elapsed: 15 minute(s), 1 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)***********hijack logsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:18:20 PM, on 12/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Mozilla Firefox3\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 5714 bytesthe system seems to be ok, but this is all im doing on here until i get the all clear.thanks again...also do you know if this was just a stupid virus, or if it logged keystrokes, etc??? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 23, 2008 Root Admin ID:41700 Share Posted December 23, 2008 Here are more details on Vundo Vundo From WikipediaPlease run the following so that we can help track down and verify if your system is clean or not.Download and install CCleanerCCleaner Double-click on the downloaded file "ccsetup215.exe" and install the application.Keep the default installation folder "C:\Program Files\CCleaner" Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"Click finish when done and close ALL PROGRAMSStart the CCleaner program.Click on Registry and Uncheck Registry Integrity so that it does not runClick on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"Click back to Cleaner and click on the Run Cleaner button on the bottom right side of the program.Click OK to any promptsImportant!All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.I also need for you to download this program OTListIt2.exe to your desktop.Close all applications and windows so that you have nothing open and are at your DesktopDouble-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)Click the Run Scan buttonNOTE: Please be patient and let the scan run without using the computerWhen the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)In Notepad, click Edit, Select all then Edit, CopyReply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.Submit your reply and close the Notepad window with OTList.txtAlso OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the windowIn Notepad, click Edit, Select all then Edit, CopyReply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me. Link to post Share on other sites More sharing options...
slyew Posted December 24, 2008 Author ID:41923 Share Posted December 24, 2008 OTListIt.txt file:OTListIt logfile created on: 12/23/2008 7:20:33 PM - Run OTListIt2 by OldTimer - Version 1.0.1.0 Folder = C:\Documents and Settings\steve\DesktopWindows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 7.0.5730.13)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy2.00 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 80.81% Memory free4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092;D:\pagefile.sys 2046 4096;%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 34.46 Gb Total Space | 11.91 Gb Free Space | 34.55% Space Free | Partition Type: NTFSDrive D: | 34.47 Gb Total Space | 23.92 Gb Free Space | 69.39% Space Free | Partition Type: NTFSE: Drive not present or media not loadedF: Drive not present or media not loadedG: Drive not present or media not loadedH: Drive not present or media not loadedI: Drive not present or media not loadedDrive R: | 931.32 Gb Total Space | 830.85 Gb Free Space | 89.21% Space Free | Partition Type: NTFSComputer Name: STEVECurrent User Name: steveLogged in as Administrator.Current Boot Mode: NormalScan Mode: All usersOutput = StandardFile Age = 30 DaysCompany Name Whitelist: On========== Processes (SafeList) ==========[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe[2006/12/19 09:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\system32\IoctlSvc.exe[2003/09/28 17:30:08 | 00,110,592 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\Wrapper.exe[2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe[2004/03/23 01:15:30 | 00,024,670 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe[2008/12/23 19:15:55 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTListIt2.exe========== (O23) Win32 Services (SafeList) ==========[2008/03/26 21:58:28 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [Disabled | Stopped])[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])[2008/06/04 21:35:42 | 00,647,680 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])[2008/12/01 11:01:02 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])[2008/04/07 15:16:26 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])[2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])[2008/07/10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])[2008/02/18 16:29:12 | 00,877,864 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Disabled | Stopped])[2008/02/28 17:07:48 | 00,529,704 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])[2004/03/24 07:04:00 | 00,110,659 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])[2006/12/19 09:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\system32\IoctlSvc.exe -- (PLFlash DeviceIoControl Service [Auto | Running])[2004/09/29 11:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])[2003/09/28 17:30:08 | 00,110,592 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\Wrapper.exe -- (PromiseWebPAM [Auto | Running])[2007/07/24 04:14:08 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [Disabled | Stopped])[2007/07/24 04:14:06 | 00,358,896 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Disabled | Stopped])[2007/08/16 07:56:16 | 00,309,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Auto | Stopped])[2007/08/16 07:56:10 | 01,092,080 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [Disabled | Stopped])[2007/08/16 07:56:14 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Disabled | Stopped])[2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])========== Driver Services (SafeList) ==========[2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])[2002/11/12 10:02:20 | 00,099,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000 [On_Demand | Running])[2005/06/16 19:39:18 | 00,165,888 | R--- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ft8300.sys -- (ft8300 [boot | Running])[2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])[2001/08/17 04:50:00 | 00,320,384 | ---- | M] (Matrox Graphics Inc.) -- C:\WINDOWS\system32\drivers\mgaum.sys -- (mgau [On_Demand | Running])[2007/09/27 17:31:00 | 00,175,944 | ---- | M] (Sonnet Technologies,Inc.) -- C:\WINDOWS\system32\drivers\mvsata.sys -- (mvSata [boot | Running])[2004/03/24 07:04:00 | 01,895,648 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])[2001/08/22 08:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI [system | Running])[2002/09/03 11:52:41 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])[2008/04/07 15:16:45 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [boot | Running])[2007/05/31 12:39:50 | 00,022,656 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])[2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort [On_Demand | Running])[2002/09/03 11:53:44 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])[2008/12/04 13:50:04 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [system | Running])[2008/12/04 13:50:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])[2008/12/04 13:50:02 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [system | Running])[2004/08/03 20:59:56 | 00,043,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sbp2port.sys -- (sbp2port [boot | Running])[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])[2002/12/19 17:48:48 | 00,539,008 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])[2008/04/02 21:08:59 | 00,717,296 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [boot | Running])[2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam [On_Demand | Running])[2003/05/20 08:19:00 | 00,073,344 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\UlSata.sys -- (UlSata [boot | Running])[2004/08/03 21:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])[2002/09/03 12:04:54 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])========== Standard Registry (SafeList) ==================== Internet Explorer ==========HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-onsHKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htmHKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRiskHKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htmHKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htmHKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htmHKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearchHKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blankHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.localHKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0HKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htmHKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearchHKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blankHKU\S-1-5-21-1060284298-839522115-725345543-1003\S-1-5-21-1060284298-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0HKU\S-1-5-21-1060284298-839522115-725345543-1003\S-1-5-21-1060284298-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.localO1 HOSTS File: (764 bytes) - C:\WINDOWS\System32\drivers\etc\HostsO1 - Hosts: 127.0.0.1 localhostO1 - Hosts: 192.168.0.200 HP000D9D294FB8O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe [2008/12/07 12:12:09 00,000,000 | ---D | M]O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe [2008/12/07 12:12:09 00,000,000 | ---D | M]O3 - HKLM\..\Toolbar: (&Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)O3 - HKCU\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not foundO3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not foundO3 - HKU\S-1-5-18\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not foundO3 - HKU\S-1-5-21-1060284298-839522115-725345543-1003\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not foundO3 - HKU\S-1-5-21-1060284298-839522115-725345543-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)O4 - HKLM..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack (Promise Technology,Inc.)O4 - HKCU..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background (Microsoft Corporation)O4 - HKU\S-1-5-21-1060284298-839522115-725345543-1003..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background (Microsoft Corporation)O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145O7 - HKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (Reg Error: Key does not exist or could not be opened.)O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1229938396765 (WUWebControl Class)O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} https://accounting.quickbooks.com/c2/v21.120/qboax10.cab (QuickBooks Online Edition Utilities Class v10)O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key does not exist or could not be opened.)O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key does not exist or could not be opened.)O18 - Protocol\Handler: - ipp - No CLSID value foundO18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)O18 - Protocol\Handler: - msdaipp - No CLSID value foundO18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)O20 - See sections below for AppInitDlls and Winlogon settings========== Winlogon Notify Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)========== Shell Execute Hooks ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" (HKLM) -- C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)========== HKLM *SecurityProviders* ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]"SecurityProviders" = msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll>File not found -- ========== Safeboot Options =========="AlternateShell" = cmd.exe========== CDRom AutoRun Settings ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]"AutoRun" = 1========== Autorun Files on Drives ==========AUTOEXEC.BAT [][2008/03/23 23:53:20 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]AUTOEXEC.BAT [][2008/03/23 23:24:20 | 00,000,000 | ---- | M] () -- D:\AUTOEXEC.BAT -- [ NTFS ]========== Files/Folders - Created Within 30 Days ==========[1 C:\WINDOWS\System32\*.tmp files][2008/12/23 19:18:10 | 00,001,552 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\CCleaner.lnk[2008/12/23 19:18:09 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner[2008/12/23 19:15:55 | 00,419,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTListIt2.exe[2008/12/23 19:15:38 | 03,165,824 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\steve\Desktop\ccsetup215.exe[2008/12/22 23:15:30 | 00,232,598 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\MS4.ai[2008/12/22 01:34:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak[2008/12/22 01:33:37 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui[2008/12/21 20:56:22 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox3[2008/12/14 18:51:20 | 00,001,738 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\HijackThis.lnk[2008/12/14 18:51:20 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro[2008/12/14 18:51:07 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\steve\Desktop\HJTInstall.exe[2008/12/13 23:19:51 | 00,173,456 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\steve\Desktop\FixVundo.exe[2008/12/13 20:53:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com[2008/12/13 20:53:07 | 00,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk[2008/12/13 20:53:05 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware[2008/12/13 20:53:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com[2008/12/13 20:52:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard[2008/12/12 00:27:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\AdobeUM[2008/12/09 22:12:49 | 00,434,653 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\DSCF0472.jpg[2008/12/07 21:08:12 | 00,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk[2008/12/07 13:03:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Malwarebytes[2008/12/07 13:02:57 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys[2008/12/07 13:02:55 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys[2008/12/07 13:02:53 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware[2008/12/07 13:02:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes[2008/12/07 12:04:10 | 00,000,000 | ---D | C] -- C:\Program Files\NOS[2008/12/07 12:04:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS[2008/12/07 11:49:51 | 00,000,294 | ---- | C] () -- C:\WINDOWS\tasks\qzxmxtji.job[2008/11/30 22:04:34 | 00,065,180 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\steveo_is_awesome.jpg========== Files - Modified Within 30 Days ==========[1 C:\WINDOWS\System32\*.tmp files][4 C:\WINDOWS\*.tmp files][2008/12/23 19:18:10 | 00,001,552 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\CCleaner.lnk[2008/12/23 19:15:55 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTListIt2.exe[2008/12/23 19:15:51 | 03,165,824 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\steve\Desktop\ccsetup215.exe[2008/12/23 19:14:21 | 04,119,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT[2008/12/23 19:14:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT[2008/12/23 19:13:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat[2008/12/22 23:15:31 | 00,232,598 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MS4.ai[2008/12/22 23:14:21 | 00,000,294 | ---- | M] () -- C:\WINDOWS\tasks\qzxmxtji.job[2008/12/22 01:31:01 | 00,000,552 | ---- | M] () -- C:\WINDOWS\win.ini[2008/12/22 01:31:01 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini[2008/12/22 01:31:01 | 00,000,210 | -HS- | M] () -- C:\boot.ini[2008/12/21 21:54:16 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini[2008/12/21 20:33:59 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl[2008/12/17 21:18:19 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\vedunure[2008/12/17 20:59:32 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini[2008/12/14 18:51:20 | 00,001,738 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\HijackThis.lnk[2008/12/14 18:51:11 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\steve\Desktop\HJTInstall.exe[2008/12/13 23:19:51 | 00,173,456 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\steve\Desktop\FixVundo.exe[2008/12/13 20:53:07 | 00,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk[2008/12/12 22:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll[2008/12/12 22:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll[2008/12/07 21:08:12 | 00,001,761 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk[2008/12/07 13:20:03 | 00,395,304 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT[2008/12/03 19:52:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys[2008/12/03 19:52:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys[2008/11/30 22:04:35 | 00,065,180 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\steveo_is_awesome.jpg========== Alternate Data Streams ==========@Alternate Data Stream - 147 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2< End of report > Link to post Share on other sites More sharing options...
slyew Posted December 24, 2008 Author ID:41924 Share Posted December 24, 2008 OtListIt Extras.txt file...OTListIt Extras logfile created on: 12/23/2008 7:20:33 PM - Run OTListIt2 by OldTimer - Version 1.0.1.0 Folder = C:\Documents and Settings\steve\DesktopWindows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 7.0.5730.13)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy2.00 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 80.81% Memory free4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092;D:\pagefile.sys 2046 4096;%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 34.46 Gb Total Space | 11.91 Gb Free Space | 34.55% Space Free | Partition Type: NTFSDrive D: | 34.47 Gb Total Space | 23.92 Gb Free Space | 69.39% Space Free | Partition Type: NTFSE: Drive not present or media not loadedF: Drive not present or media not loadedG: Drive not present or media not loadedH: Drive not present or media not loadedI: Drive not present or media not loadedDrive R: | 931.32 Gb Total Space | 830.85 Gb Free Space | 89.21% Space Free | Partition Type: NTFSComputer Name: STEVECurrent User Name: steveLogged in as Administrator.Current Boot Mode: NormalScan Mode: All usersOutput = StandardFile Age = 30 DaysCompany Name Whitelist: On========== File Associations ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>].html [@ = FirefoxHTML] -- ========== Security Center Settings ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]"AntiVirusDisableNotify" = 1"FirewallDisableNotify" = 1"UpdatesDisableNotify" = 1"AntiVirusOverride" = 0"FirewallOverride" = 0[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile"EnableFirewall" = 1"DoNotAllowExceptions" = 0"DisableNotifications" = 0[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]========== Authorized Applications List ==========[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List][2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000[2008/04/15 13:15:58 | 00,925,728 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]File not found -- F:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000[2006/11/02 23:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader[2008/04/15 13:15:58 | 00,925,728 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe:*:Enabled:Windows Live FolderShare BetaFile not found -- C:\Program Files\TwonkyMedia\twonkymediaserver.exe:*:Enabled:TwonkyMediaServerFile not found -- C:\Program Files\TwonkyMedia\twonkymedia.exe:*:Enabled:TwonkyMedia[2008/02/28 17:38:38 | 05,055,784 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero MediaHome\NeroMediaHome.exe:*:Enabled:Nero MediaHome (1)[2008/02/28 17:38:38 | 04,470,056 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero MediaHome\NMMediaServer.exe:*:Enabled:Nero MediaHome (2)[2008/03/06 12:50:59 | 00,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour[2008/07/10 09:51:26 | 20,246,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunesFile not found -- C:\Program Files\MusicBrainz Picard\picard.exe:*:Enabled:The next generation MusicBrainz tagger[2004/08/03 23:56:55 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32[2002/09/03 11:34:39 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe:*:Enabled:cidaemon[2003/09/28 17:30:08 | 00,110,592 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\Wrapper.exe:*:Enabled:wrapper========== HKEY_LOCAL_MACHINE Uninstall List ==========[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium"{003447F5-0058-4B77-9C1E-50488F77C4A7}" = Brother P-touch Editor 4.2"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime"{0A3D355B-4FCC-41AF-8C61-A2BA15D26237}" = Adobe After Effects CS3"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin"{185D0A67-E066-44AE-926D-F6305813301C}" = Adobe After Effects CS3 Presets"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2"{279449D6-CAF6-47F9-A28B-319FEEE4331B}" = Eudora"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup"{3C5F1B30-B10B-4579-86DD-D00F662E1033}" = Nero 8"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml"{5D6EC6F7-9B38-4a02-B063-97C2048B56A2}" = 7200_Help"{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}" = Roxio Media Manager"{64B7E533-21EC-4DB3-95DE-6D2DDE81F855}" = Adobe Soundbooth CS3"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations"{6A5D1A94-624A-4D20-B178-3A283B500370}" = Adobe Setup"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0"{7162AC2C-733F-4127-ACAD-C5F0F27D123D}" = Adobe Creative Suite 3 Master Collection"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3"{7CCC6E23-0E35-480B-8F0C-8D06F882D5D3}" = Brother QL-Series User's Guide"{7D62C409-EA5C-40E3-954E-AD4923250923}" = Adobe Encore CS3 Library"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3"{80C13322-2085-49F5-8B19-2A9FA20F14E9}" = Adobe After Effects CS3 Template Projects & Footage"{81C71501-D10F-4DE8-AFD9-E718E82B1D41}_is1" = TextEdit 2.1"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support"{8F7A4D82-B168-4F89-99C2-B9873EC877AF}" = HP Image Zone Express"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3"{90849E84-F026-4638-A184-E6FCFD472C34}" = Brother P-touch Software"{92A300C0-E97B-48CC-9702-AB1AAED167E1}" = Adobe Soundbooth CS3 Scores"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings"{98E9B724-0E62-4812-B6CC-C6A228BBC562}" = Brother P-touch Address Book 1.0"{9BA4F9C5-7CB4-492C-9B97-89E36AFA0AB9}" = Adobe Setup"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific"{A6CDBEB9-2DF5-4455-A647-F3DF0441D5C3}" = Adobe Premiere Pro CS3"{A7391302-FADF-4314-80DC-C757DAE45178}" = 7200"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0"{AC966B90-53CA-4710-8EEE-57ED25387872}" = 7200Trb"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3"{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3"{C347D234-93D8-4595-BDAA-C04638B23B48}" = Adobe Creative Suite 3 Web Premium"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD"{DD362256-A7A2-4524-9457-213DDC2AFC2A}" = Adobe After Effects 7.0"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}" = iTunes"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3"{FE434300-A311-4BE1-93BA-B74BC8C4017B}" = Windows Live FolderShare Beta"733fc5aa09f6ebe167e13d69c7dc4e7f" = Promise WebPAM 2.0"Adobe After Effects 7.0" = Adobe After Effects 7.0"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin"Adobe_247961ef275e20c5cb073c36394ac32" = Add or Remove Adobe Creative Suite 3 Web Premium"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings"Adobe_8bb24e071e5922899698c2105557bd2" = Add or Remove Adobe Creative Suite 3 Master Collection"AIM_6" = AIM 6"BlackBerry_{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3"CCleaner" = CCleaner (remove only)"DAZzle" = DAZzle"Dropbox" = Dropbox"DVD Shrink_is1" = DVD Shrink 3.2"FastStone Capture" = FastStone Capture 6.0"HijackThis" = HijackThis 2.0.2"HP Photo & Imaging" = HP Image Zone 4.7"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs"ie7" = Windows Internet Explorer 7"InstallShield_{003447F5-0058-4B77-9C1E-50488F77C4A7}" = Brother P-touch Editor 4.2"InstallShield_{7CCC6E23-0E35-480B-8F0C-8D06F882D5D3}" = Brother QL-Series User's Guide"InstallShield_{98E9B724-0E62-4812-B6CC-C6A228BBC562}" = Brother P-touch Address Book 1.0"IrfanView" = IrfanView (remove only)"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0"Mozilla Firefox (3.0.4)" = Mozilla Firefox (3.0.4)"Mozilla Firefox (3.0.5)" = Mozilla Firefox (3.0.5)"Mozilla Thunderbird (2.0.0.18)" = Mozilla Thunderbird (2.0.0.18)"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs"NVIDIA Display Driver" = NVIDIA Display Driver"Picasa 3" = Picasa 3"PROSet" = Intel® PRO Ethernet Adapter and Software"ViewpointMediaPlayer" = Viewpoint Media Player"Windows Media Format Runtime" = Windows Media Format 11 runtime"Windows Media Player" = Windows Media Player 11"Windows XP Service Pack" = Windows XP Service Pack 2"WinRAR archiver" = WinRAR archiver"WMFDist11" = Windows Media Format 11 runtime"wmp11" = Windows Media Player 11"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0"Yahoo! Toolbar" = Yahoo! Toolbar========== HKEY_CURRENT_USER Uninstall List ==========[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]========== HKEY_USERS Uninstall List ==========[HKEY_USERS\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]========== Last 10 Event Log Errors ==========[ Application Events ]Error - 7/11/2008 2:32:20 AM | Computer Name = STEVE | Source = Application Hang | ID = 1002Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Error - 7/11/2008 2:32:20 AM | Computer Name = STEVE | Source = Application Hang | ID = 1002Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.Error - 7/12/2008 12:56:28 AM | Computer Name = STEVE | Source = Application Error | ID = 1000Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting module msvcr80.dll, version 8.0.50727.762, fault address 0x00014d98.Error - 7/28/2008 2:23:37 AM | Computer Name = STEVE | Source = Ci | ID = 4124Description = Content index on c:\system volume information\catalog.wci is corrupt. Please shutdown and restart the Indexing Service (cisvc).Error - 7/28/2008 2:23:37 AM | Computer Name = STEVE | Source = Ci | ID = 4126Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci. Index will be automatically restored by refiltering all documents.Error - 7/28/2008 12:44:36 PM | Computer Name = STEVE | Source = MsiInstaller | ID = 11722Description = Product: Roxio Media Manager -- Error 1722.There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action DWUS_Schedule.C3A146F5_4B48_11D5_A819_00B0D0428C0C, location: C:\Program Files\Common Files\InstallShield\UpdateService\, command: C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe /ssi{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1},30: Default Error - 7/28/2008 12:44:36 PM | Computer Name = STEVE | Source = MsiInstaller | ID = 11719Description = Product: Roxio Media Manager -- Error 1719.The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.[ System Events ]Error - 12/14/2008 10:54:55 PM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026Description = The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI pctfw2 RasAcd Rdbss SASDIFSV SASKUTIL TcpipWS2IFSLError - 12/14/2008 11:02:26 PM | Computer Name = STEVE | Source = DCOM | ID = 10005Description = DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}Error - 12/16/2008 7:07:01 AM | Computer Name = STEVE | Source = DCOM | ID = 10005Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}Error - 12/16/2008 7:14:31 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026Description = The following boot-start or system-start driver(s) failed to load: mvSata PCIIdeError - 12/17/2008 11:56:07 PM | Computer Name = STEVE | Source = DCOM | ID = 10005Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}Error - 12/20/2008 3:24:31 PM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026Description = The following boot-start or system-start driver(s) failed to load: mvSata PCIIdeError - 12/22/2008 1:51:06 AM | Computer Name = STEVE | Source = DCOM | ID = 10005Description = DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}Error - 12/22/2008 5:35:55 AM | Computer Name = STEVE | Source = PlugPlayManager | ID = 12Description = The device 'Promise 2X2 Mirror/RAID1 SCSI Disk Device' (SCSI\Disk&Ven_Promise&Prod_2X2_Mirror/RAID1&Rev_1.10\6&30f6ec26&0&000) disappeared from the system without first being prepared for removal.Error - 12/22/2008 5:35:56 AM | Computer Name = STEVE | Source = Promise Napa I2API | ID = 512Description = Logical drive "PROMISE LD " goes offlineError - 12/22/2008 5:35:56 AM | Computer Name = STEVE | Source = Promise Napa I2API | ID = 512Description = Logical drive "PROMISE LD " goes offline< End of report > Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 24, 2008 Root Admin ID:41959 Share Posted December 24, 2008 Your system has files on it that MBAM already detects and removes so that leads me to believe you may have something cloaked running that is preventing MBAM from removing it or it's a new variant of an old infection.STEP 01For now please rename or delete your HOSTS file located here:C:\WINDOWS\system32\drivers\etc\hostsSTEP 02Please upload this file for review hereC:\WINDOWS\SYSTEM32\digeste.dllSTEP 03ERUNT Registry Backup and Restore for WindowsPlease download ERUNT and backup your Registry before proceeding. ERUNTDo not place it in the Startup folder as it requests at least for now.STEP 04The file above is referenced here and does not belong here in the registry.After backing up the Registry click on START - RUN - and type in REGEDIT then browse to this location.Double-click on the SecurityProviders key and remove the digeste.dll entry.Make sure you leave the comma on the end. ,[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]"SecurityProviders" = msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dllIt should look like thismsapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,STEP 05Open My Computer and browse to this file and delete it. C:\WINDOWS\tasks\qzxmxtji.jobSTEP 06Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.Please download JavaRa and unzip it to your desktop.***Please close any instances of Internet Explorer (or other web browser) before continuing!***Double-click on JavaRa.exe to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location.Update Java RuntimeThe most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.Go to http://java.sun.com/javase/downloads/index.jspGo to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.In Platform box choose Windows.Check the box to Accept License Agreement and click Continue.Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.Uncheck the Toolbar button (unless you want the toolbar)Reboot your computerSTEP 07Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtSTEP 08Reboot the computer and run HJT scan and save log.STEP 09Post back MBAM and HJT logs. Link to post Share on other sites More sharing options...
slyew Posted December 25, 2008 Author ID:42182 Share Posted December 25, 2008 MBAM LOGMalwarebytes' Anti-Malware 1.31Database version: 1542Windows 5.1.2600 Service Pack 212/24/2008 4:07:01 PMmbam-log-2008-12-24 (16-07-01).txtScan type: Quick ScanObjects scanned: 62105Time elapsed: 1 minute(s), 41 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
slyew Posted December 25, 2008 Author ID:42183 Share Posted December 25, 2008 Java.Ra.logJavaRa 1.12 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Wed Dec 24 15:54:24 2008Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005Found and removed: SOFTWARE\Classes\JavaPlugin.160_05Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}Found and removed: Software\Classes\JavaPlugin.160_05Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05Found and removed: Software\JavaSoft\Java2D\1.6.0_05Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_05Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\------------------------------------Finished reporting. Link to post Share on other sites More sharing options...
slyew Posted December 25, 2008 Author ID:42184 Share Posted December 25, 2008 HJT LOGLogfile of Trend Micro HijackThis v2.0.2Scan saved at 4:10:07 PM, on 12/24/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dllO3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 5970 bytes Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 26, 2008 Root Admin ID:42449 Share Posted December 26, 2008 Well it is the Holidays and most helpers are away with Family and Friends.I will be out of Town until Monday but please run the following while I'm away and I'll assist you further when I return.The logs look reasonably good. How is the system running now? Is there still any sign of Malware ?Please run this AntiVirus toolDownload to the desktop: Dr.Web CureItDoubleclick the drweb-cureit.exe file and Allow to run the express scanThis will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.Once the short scan has finished, Click Options > Change settingsChoose the "Scan"-tab, remove the mark at "Heuristic analysis".Back at the main window, mark the drives that you want to scan.Select all drives. A red dot shows which drives have been chosen.Click the green arrow at the right, and the scan will start.Click 'Yes to all' if it asks if you want to cure/move the file.When the scan has finished, look if you can click next icon next to the files found:If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)After selecting, in the Dr.Web CureIt menu on top, click file and choose save report listSave the report to your desktop. The report will be called DrWeb.csvClose Dr.Web Cureit.Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.Then let me know if it finds anything and how the computer is working now.Thanks, and I'll be back on Monday to assist you further. Link to post Share on other sites More sharing options...
slyew Posted December 28, 2008 Author ID:42731 Share Posted December 28, 2008 Hi, yeah thanks, I was a bit away myself.I ran MBAM again, and it still came up with the vundo virus.Malwarebytes' Anti-Malware 1.31Database version: 1556Windows 5.1.2600 Service Pack 212/27/2008 1:59:18 PMmbam-log-2008-12-27 (13-59-18).txtScan type: Quick ScanObjects scanned: 62095Time elapsed: 2 minute(s), 39 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)So i ran search and destroy and i found a couple things, and i deleted those.Now i am running the Dr Web, and it found some things, but it's going to be a while till it finishes... I will post it up when its done.Thanks again, and happy holidays Link to post Share on other sites More sharing options...
slyew Posted December 28, 2008 Author ID:42742 Share Posted December 28, 2008 HIJACK LOG:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:49:01 PM, on 12/27/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\WINDOWS\system32\userinit.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 5502 bytes Link to post Share on other sites More sharing options...
slyew Posted December 28, 2008 Author ID:42743 Share Posted December 28, 2008 DR WEB LOGuninst.exe;C:\Program Files\DAEMON Tools Lite;Archive contains infected objects;Moved.;data002\data001;C:\Program Files\DAEMON Tools Lite\uninst.exe\data002;Adware.Shopper;;data002\data002;C:\Program Files\DAEMON Tools Lite\uninst.exe\data002;Adware.SaveNow.128;;pldr7[1].htm;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\79I8NNMY;Trojan.Virtumod.1461;Deleted.;data002;C:\Program Files\DAEMON Tools Lite\uninst.exe;Archive contains infected objects;; Link to post Share on other sites More sharing options...
slyew Posted December 28, 2008 Author ID:42745 Share Posted December 28, 2008 Then i did another MBAM Scan:Malwarebytes' Anti-Malware 1.31Database version: 1556Windows 5.1.2600 Service Pack 212/27/2008 8:54:39 PMmbam-log-2008-12-27 (20-54-39).txtScan type: Quick ScanObjects scanned: 62717Time elapsed: 3 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Is it time to just wipe my HD? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 30, 2008 Root Admin ID:43431 Share Posted December 30, 2008 Please run REGEDIT and browse to this key: HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}Then click on PERMISSIONS (you may need to boot into SAFE MODE if this is Windows XP Home Edition)Go to the OWNERSHIP tab and set the OWNER to an Administrator account and apply the changes.Then check PERMISSIONS again and make sure the Administrator account has FULL rights and try to delete that key.If you're not comfortable doing this let me know and I can provide more detailed instructions.Let me know how it goes. Link to post Share on other sites More sharing options...
slyew Posted December 31, 2008 Author ID:43637 Share Posted December 31, 2008 I tried both in regular and safe modes to delete this key and its Inprocserver32 subkey but It gives me the error "Cannot Delete Inprocserver32 error while deleting key" Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 4, 2009 Root Admin ID:44716 Share Posted January 4, 2009 Okay, sorry for the delay - if you still need help please run the following and post back.STEP01Run this file to repair file and registry permissionsfixacl.exeSTEP02Run this file after to remove an invalid startup entry. Double click and say Yes to import the settings.clearinit.regSTEP03Malwarebytes' Anti-MalwareStart MalwareBytes AntiMalware Update Malwarebytes' Anti-Malware Select the Update tabClick Update[*]When the update is complete, select the Scanner tab[*]Select Perform quick scan, then click Scan.[*]When the scan is complete, click OK, then Show Results to view the results.[*]Be sure that everything is checked, and click Remove Selected.[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply If you accidently close it, the log file is saved here and will be named like this:C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txtThe RESTART the computer again and AFTER the restart run HJT Scan and Save log and post back all NEW logs. Link to post Share on other sites More sharing options...
slyew Posted January 6, 2009 Author ID:45233 Share Posted January 6, 2009 hello, thanks again...MBAM logs (still infected (!))Malwarebytes' Anti-Malware 1.32Database version: 1621Windows 5.1.2600 Service Pack 31/5/2009 7:41:27 PMmbam-log-2009-01-05 (19-41-27).txtScan type: Quick ScanObjects scanned: 65399Time elapsed: 1 minute(s), 59 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)HJT LOGLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:45:53 PM, on 1/5/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\IoctlSvc.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Mozilla Firefox3\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBackO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exeO23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe--End of file - 5567 bytes Link to post Share on other sites More sharing options...
Recommended Posts