Jump to content

Recommended Posts

Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 2

12/16/2008 10:21:16 AM

mbam-log-2008-12-16 (10-21-16).txt

Scan type: Full Scan (C:\|D:\|R:\|)

Objects scanned: 232080

Time elapsed: 45 minute(s), 46 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 5

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoyobukeno (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*********************

My Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:43:59 PM, on 12/16/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} - C:\WINDOWS\system32\gelarijo.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [7cbe8ec6] rundll32.exe "C:\WINDOWS\system32\vivuyayo.dll",b

O4 - HKLM\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s

O4 - HKLM\..\Run: [CPM7f8dbd5a] Rundll32.exe "C:\WINDOWS\system32\deyagehu.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - AppInit_DLLs: c:\windows\system32\pinowoda.dll C:\WINDOWS\system32\gikosiha.dll C:\WINDOWS\system32\memezori.dll c:\windows\system32\deyagehu.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 6079 bytes

In advance, thanks guys/gals. Also, Ive been trying to do some research on the virus, but can you tell me the threat level of this one? Ive heard rumors of recording keystrokes, but not really sure...

Steve

Link to post
Share on other sites

New scan:

Malwarebytes' Anti-Malware 1.31

Database version: 1512

Windows 5.1.2600 Service Pack 2

12/17/2008 8:45:01 PM

mbam-log-2008-12-17 (20-45-01).txt

Scan type: Quick Scan

Objects scanned: 72582

Time elapsed: 5 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 6

Registry Keys Infected: 6

Registry Values Infected: 2

Registry Data Items Infected: 5

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\memezori.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\noweripe.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\viyezoya.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\yujukumi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gelarijo.dll (Trojan.Vundo.H) -> Delete on reboot.

c:\WINDOWS\system32\deyagehu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7cbe8ec6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zoyobukeno (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\memezori.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\memezori.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\memezori.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\viyezoya.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\viyezoya.dll -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\noweripe.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\epirewon.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vivuyayo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\oyayuviv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\yujukumi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\viyezoya.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\gelarijo.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\memezori.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\rofulato.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kozezupo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\iiffEwxw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\deyagehu.dll (Trojan.Vundo) -> Delete on reboot.

*** HIJACK LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:46:11 PM, on 12/17/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: (no name) - {a6fe5d7e-17c5-462f-9d5a-9cf2ebaf1c0a} - C:\WINDOWS\system32\gelarijo.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [CPM7f8dbd5a] Rundll32.exe "c:\windows\system32\viyezoya.dll",a

O4 - HKLM\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - AppInit_DLLs: c:\windows\system32\pinowoda.dll C:\WINDOWS\system32\gikosiha.dll c:\windows\system32\viyezoya.dll,C:\WINDOWS\system32\memezori.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 6287 bytes

Thanks again.

Link to post
Share on other sites

  • Root Admin

STEP 01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP 02

Start HJT and do a Scan only and put a check mark on the following items

O20 - AppInit_DLLs: c:\windows\system32\pinowoda.dll C:\WINDOWS\system32\gikosiha.dll c:\windows\system32\viyezoya.dll,C:\WINDOWS\system32\memezori.dll

Then click on
"Fix checked"

STEP 03

Upload the following files to the site for review.

Go here
uploads.malwarebytes.org
and browse and upload the following files if found.
  • C:\WINDOWS\system32\gikosiha.dll

  • c:\windows\system32\pinowoda.dll

  • c:\windows\system32\viyezoya.dll

  • C:\WINDOWS\system32\memezori.dll

STEP 04

Start MBAM and go to the UPDATE tab and update the program and do a
Quick Scan
and fix anything found and reboot the computer.

STEP 05

Start HJT and do a Scan and save log

STEP 06

Post back the MBAM and HJT logs
Link to post
Share on other sites

Weird.. those files you told me to upload were no longer on my computer. But instead I found the following, which were created at around the times that I started having problems. I haven;t done anyhting else to my computer since posting my logs, so i dont know what happened. I uploaded from my win32 folder:

sosazeri.dll.tmp

harupeza.dll.tmp

bekubonu.dll

molarulu.dll.tmp

menoyayo.dll.tmp

lakupija.dll.tmp

HIJACK LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:24:22 AM, on 12/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox3\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 5727 bytes

MBAM LOG:

Malwarebytes' Anti-Malware 1.31

Database version: 1531

Windows 5.1.2600 Service Pack 2

12/22/2008 1:19:21 AM

mbam-log-2008-12-22 (01-19-21).txt

Scan type: Quick Scan

Objects scanned: 72734

Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

****************

Thanks again...

Link to post
Share on other sites

  • Root Admin

Start HJT and do a Scan only and put a check mark on the following items

O4 - HKUS\S-1-5-19\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [zoyobukeno] Rundll32.exe "C:\WINDOWS\system32\yujukumi.dll",s (User 'NETWORK SERVICE')

Then click on
"Fix checked"

Quit all open browsers (including the one you're reading this with now) and programs.

Then open My Computer and browse to and delete these files (let me know if they will not delete)

from here C:\WINDOWS\SYSTEM32

sosazeri.dll.tmp

harupeza.dll.tmp

bekubonu.dll

molarulu.dll.tmp

menoyayo.dll.tmp

lakupija.dll.tmp

yujukumi.dll

Start MBAM, update it and do another Quick Scan and fix anything found and reboot the Computer

After the restart run HJT and do a Scan and save log then post back both logs and let me know how the system is running.

Link to post
Share on other sites

mbam logs

Malwarebytes' Anti-Malware 1.31

Database version: 1531

Windows 5.1.2600 Service Pack 2

12/22/2008 11:12:56 PM

mbam-log-2008-12-22 (23-12-56).txt

Scan type: Quick Scan

Objects scanned: 72905

Time elapsed: 15 minute(s), 1 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***********

hijack logs

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:18:20 PM, on 12/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

C:\Program Files\Mozilla Firefox3\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 5714 bytes

the system seems to be ok, but this is all im doing on here until i get the all clear.

thanks again...

also do you know if this was just a stupid virus, or if it logged keystrokes, etc???

Link to post
Share on other sites

  • Root Admin

Here are more details on Vundo Vundo From Wikipedia

Please run the following so that we can help track down and verify if your system is clean or not.

    Download and install CCleaner
  • CCleaner


  • Double-click on the downloaded file "ccsetup215.exe" and install the application.

  • Keep the default installation folder "C:\Program Files\CCleaner"

  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"

  • Click finish when done and close
    ALL PROGRAMS

  • Start the
    CCleaner
    program.

  • Click on
    Registry
    and
    Uncheck
    Registry Integrity so that it does not run

  • Click on
    Options
    -
    Advanced
    and
    Uncheck
    "Only delete files in Windows Temp folders older than 48 hours"

  • Click back to
    Cleaner
    and click on the
    Run Cleaner
    button on the bottom right side of the program.

  • Click OK to any prompts


Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program
OTListIt2.exe
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    "Scan All Users"
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Link to post
Share on other sites

OTListIt.txt file:

OTListIt logfile created on: 12/23/2008 7:20:33 PM - Run

OTListIt2 by OldTimer - Version 1.0.1.0 Folder = C:\Documents and Settings\steve\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 80.81% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092;D:\pagefile.sys 2046 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 34.46 Gb Total Space | 11.91 Gb Free Space | 34.55% Space Free | Partition Type: NTFS

Drive D: | 34.47 Gb Total Space | 23.92 Gb Free Space | 69.39% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive R: | 931.32 Gb Total Space | 830.85 Gb Free Space | 89.21% Space Free | Partition Type: NTFS

Computer Name: STEVE

Current User Name: steve

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== Processes (SafeList) ==========

[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe

[2006/12/19 09:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\system32\IoctlSvc.exe

[2003/09/28 17:30:08 | 00,110,592 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\Wrapper.exe

[2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe

[2004/03/23 01:15:30 | 00,024,670 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

[2008/10/16 14:09:44 | 00,051,224 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauclt.exe

[2008/12/23 19:15:55 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTListIt2.exe

========== (O23) Win32 Services (SafeList) ==========

[2008/03/26 21:58:28 | 00,072,704 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [Disabled | Stopped])

[2005/09/23 06:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])

[2005/09/23 06:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

[2008/06/04 21:35:42 | 00,647,680 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service [On_Demand | Stopped])

[2008/12/01 11:01:02 | 00,033,752 | ---- | M] (NOS Microsystems Ltd.) -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper [On_Demand | Stopped])

[2008/04/07 15:16:26 | 00,136,120 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])

[2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

[2008/07/10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])

[2008/02/18 16:29:12 | 00,877,864 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe -- (Nero BackItUp Scheduler 3 [Disabled | Stopped])

[2008/02/28 17:07:48 | 00,529,704 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe -- (NMIndexingService [On_Demand | Stopped])

[2004/03/24 07:04:00 | 00,110,659 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Stopped])

[2006/12/19 09:30:26 | 00,081,920 | ---- | M] (Prolific Technology Inc.) -- C:\WINDOWS\system32\IoctlSvc.exe -- (PLFlash DeviceIoControl Service [Auto | Running])

[2004/09/29 11:14:36 | 00,069,632 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12 [Auto | Stopped])

[2003/09/28 17:30:08 | 00,110,592 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\Wrapper.exe -- (PromiseWebPAM [Auto | Running])

[2007/07/24 04:14:08 | 00,088,560 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe -- (Roxio UPnP Renderer 9 [Disabled | Stopped])

[2007/07/24 04:14:06 | 00,358,896 | ---- | M] (Sonic Solutions) -- C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe -- (Roxio Upnp Server 9 [Disabled | Stopped])

[2007/08/16 07:56:16 | 00,309,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe -- (RoxLiveShare9 [Auto | Stopped])

[2007/08/16 07:56:10 | 01,092,080 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9 [Disabled | Stopped])

[2007/08/16 07:56:14 | 00,166,384 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9 [Disabled | Stopped])

[2007/01/04 13:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service [Auto | Running])

[2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

[2002/04/01 13:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])

[2002/11/12 10:02:20 | 00,099,840 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1000325.sys -- (E1000 [On_Demand | Running])

[2005/06/16 19:39:18 | 00,165,888 | R--- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\ft8300.sys -- (ft8300 [boot | Running])

[2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2001/08/17 04:50:00 | 00,320,384 | ---- | M] (Matrox Graphics Inc.) -- C:\WINDOWS\system32\drivers\mgaum.sys -- (mgau [On_Demand | Running])

[2007/09/27 17:31:00 | 00,175,944 | ---- | M] (Sonnet Technologies,Inc.) -- C:\WINDOWS\system32\drivers\mvsata.sys -- (mvSata [boot | Running])

[2004/03/24 07:04:00 | 01,895,648 | R--- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Stopped])

[2001/08/22 08:42:58 | 00,013,632 | ---- | M] (Dell Computer Corporation) -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI [system | Running])

[2002/09/03 11:52:41 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2008/04/07 15:16:45 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [boot | Running])

[2007/05/31 12:39:50 | 00,022,656 | ---- | M] (Research In Motion Limited) -- C:\WINDOWS\system32\drivers\RimUsb.sys -- (RimUsb [On_Demand | Stopped])

[2007/01/18 09:24:58 | 00,026,496 | R--- | M] (Research in Motion Ltd) -- C:\WINDOWS\system32\drivers\RimSerial.sys -- (RimVSerPort [On_Demand | Running])

[2002/09/03 11:53:44 | 00,005,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\rootmdm.sys -- (ROOTMODEM [On_Demand | Running])

[2008/12/04 13:50:04 | 00,008,944 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV [system | Running])

[2008/12/04 13:50:06 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM [On_Demand | Stopped])

[2008/12/04 13:50:02 | 00,055,024 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL [system | Running])

[2004/08/03 20:59:56 | 00,043,136 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sbp2port.sys -- (sbp2port [boot | Running])

[2007/11/13 02:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

[2002/12/19 17:48:48 | 00,539,008 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])

[2008/04/02 21:08:59 | 00,717,296 | ---- | M] () -- C:\WINDOWS\system32\drivers\sptd.sys -- (sptd [boot | Running])

[2001/08/17 12:53:32 | 00,006,784 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\serscan.sys -- (StillCam [On_Demand | Running])

[2003/05/20 08:19:00 | 00,073,344 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\drivers\UlSata.sys -- (UlSata [boot | Running])

[2004/08/03 21:07:56 | 00,059,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio [On_Demand | Stopped])

[2002/09/03 12:04:54 | 00,012,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\ws2ifsl.sys -- (WS2IFSL [Disabled | Stopped])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch

HKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKU\S-1-5-21-1060284298-839522115-725345543-1003\S-1-5-21-1060284298-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-1060284298-839522115-725345543-1003\S-1-5-21-1060284298-839522115-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: (764 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 192.168.0.200 HP000D9D294FB8

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe [2008/12/07 12:12:09 00,000,000 | ---D | M]

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)

O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe [2008/12/07 12:12:09 00,000,000 | ---D | M]

O3 - HKLM\..\Toolbar: (&Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKCU\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O3 - HKU\.DEFAULT\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-18\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-1060284298-839522115-725345543-1003\..\Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-1060284298-839522115-725345543-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)

O4 - HKLM..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack (Promise Technology,Inc.)

O4 - HKCU..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background (Microsoft Corporation)

O4 - HKU\S-1-5-21-1060284298-839522115-725345543-1003..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background (Microsoft Corporation)

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll (Sun Microsystems, Inc.)

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab (Reg Error: Key does not exist or could not be opened.)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1229938396765 (WUWebControl Class)

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} https://accounting.quickbooks.com/c2/v21.120/qboax10.cab (QuickBooks Online Edition Utilities Class v10)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key does not exist or could not be opened.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key does not exist or could not be opened.)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)

O20 - See sections below for AppInitDlls and Winlogon settings

========== Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]

!SASWinLogon: "DllName" = C:\Program Files\SUPERAntiSpyware\SASWINLO.dll -- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" (HKLM) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}" (HKLM) -- C:\Program Files\Qualcomm\Eudora\EuShlExt.dll (Qualcomm Inc.)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]

"SecurityProviders" = msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

>File not found --

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []

[2008/03/23 23:53:20 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []

[2008/03/23 23:24:20 | 00,000,000 | ---- | M] () -- D:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]

[2008/12/23 19:18:10 | 00,001,552 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\CCleaner.lnk

[2008/12/23 19:18:09 | 00,000,000 | ---D | C] -- C:\Program Files\CCleaner

[2008/12/23 19:15:55 | 00,419,328 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTListIt2.exe

[2008/12/23 19:15:38 | 03,165,824 | ---- | C] (Piriform Ltd) -- C:\Documents and Settings\steve\Desktop\ccsetup215.exe

[2008/12/22 23:15:30 | 00,232,598 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\MS4.ai

[2008/12/22 01:34:21 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\CatRoot_bak

[2008/12/22 01:33:37 | 00,023,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wuapi.dll.mui

[2008/12/21 20:56:22 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox3

[2008/12/14 18:51:20 | 00,001,738 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\HijackThis.lnk

[2008/12/14 18:51:20 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro

[2008/12/14 18:51:07 | 00,812,344 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\steve\Desktop\HJTInstall.exe

[2008/12/13 23:19:51 | 00,173,456 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\steve\Desktop\FixVundo.exe

[2008/12/13 20:53:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

[2008/12/13 20:53:07 | 00,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2008/12/13 20:53:05 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware

[2008/12/13 20:53:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\SUPERAntiSpyware.com

[2008/12/13 20:52:36 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

[2008/12/12 00:27:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\AdobeUM

[2008/12/09 22:12:49 | 00,434,653 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\DSCF0472.jpg

[2008/12/07 21:08:12 | 00,001,761 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[2008/12/07 13:03:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\steve\Application Data\Malwarebytes

[2008/12/07 13:02:57 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008/12/07 13:02:55 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008/12/07 13:02:53 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware

[2008/12/07 13:02:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes

[2008/12/07 12:04:10 | 00,000,000 | ---D | C] -- C:\Program Files\NOS

[2008/12/07 12:04:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS

[2008/12/07 11:49:51 | 00,000,294 | ---- | C] () -- C:\WINDOWS\tasks\qzxmxtji.job

[2008/11/30 22:04:34 | 00,065,180 | ---- | C] () -- C:\Documents and Settings\steve\Desktop\steveo_is_awesome.jpg

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]

[4 C:\WINDOWS\*.tmp files]

[2008/12/23 19:18:10 | 00,001,552 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\CCleaner.lnk

[2008/12/23 19:15:55 | 00,419,328 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\steve\Desktop\OTListIt2.exe

[2008/12/23 19:15:51 | 03,165,824 | ---- | M] (Piriform Ltd) -- C:\Documents and Settings\steve\Desktop\ccsetup215.exe

[2008/12/23 19:14:21 | 04,119,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2008/12/23 19:14:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008/12/23 19:13:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008/12/22 23:15:31 | 00,232,598 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\MS4.ai

[2008/12/22 23:14:21 | 00,000,294 | ---- | M] () -- C:\WINDOWS\tasks\qzxmxtji.job

[2008/12/22 01:31:01 | 00,000,552 | ---- | M] () -- C:\WINDOWS\win.ini

[2008/12/22 01:31:01 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2008/12/22 01:31:01 | 00,000,210 | -HS- | M] () -- C:\boot.ini

[2008/12/21 21:54:16 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2008/12/21 20:33:59 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008/12/17 21:18:19 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\vedunure

[2008/12/17 20:59:32 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2008/12/14 18:51:20 | 00,001,738 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\HijackThis.lnk

[2008/12/14 18:51:11 | 00,812,344 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\steve\Desktop\HJTInstall.exe

[2008/12/13 23:19:51 | 00,173,456 | ---- | M] (Symantec Corporation) -- C:\Documents and Settings\steve\Desktop\FixVundo.exe

[2008/12/13 20:53:07 | 00,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk

[2008/12/12 22:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mshtml.dll

[2008/12/12 22:40:02 | 03,593,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\mshtml.dll

[2008/12/07 21:08:12 | 00,001,761 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

[2008/12/07 13:20:03 | 00,395,304 | ---- | M] () -- C:\Documents and Settings\steve\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2008/12/03 19:52:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2008/12/03 19:52:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

[2008/11/30 22:04:35 | 00,065,180 | ---- | M] () -- C:\Documents and Settings\steve\Desktop\steveo_is_awesome.jpg

========== Alternate Data Streams ==========

@Alternate Data Stream - 147 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2

< End of report >

Link to post
Share on other sites

OtListIt Extras.txt file...

OTListIt Extras logfile created on: 12/23/2008 7:20:33 PM - Run

OTListIt2 by OldTimer - Version 1.0.1.0 Folder = C:\Documents and Settings\steve\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 7.0.5730.13)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.62 Gb Available Physical Memory | 80.81% Memory free

4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free

Paging file location(s): C:\pagefile.sys 2046 4092;D:\pagefile.sys 2046 4096;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 34.46 Gb Total Space | 11.91 Gb Free Space | 34.55% Space Free | Partition Type: NTFS

Drive D: | 34.47 Gb Total Space | 23.92 Gb Free Space | 69.39% Space Free | Partition Type: NTFS

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Drive R: | 931.32 Gb Total Space | 830.85 Gb Free Space | 89.21% Space Free | Partition Type: NTFS

Computer Name: STEVE

Current User Name: steve

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] --

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"UpdatesDisableNotify" = 1

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2008/04/15 13:15:58 | 00,925,728 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

File not found -- F:\Setup\HPZnet01.exe:*:Enabled:Install Consumer Experience Network Plug in

[2006/10/10 04:44:50 | 00,557,568 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2006/11/02 23:17:27 | 00,010,800 | ---- | M] (AOL LLC) -- C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader

[2008/04/15 13:15:58 | 00,925,728 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe:*:Enabled:Windows Live FolderShare Beta

File not found -- C:\Program Files\TwonkyMedia\twonkymediaserver.exe:*:Enabled:TwonkyMediaServer

File not found -- C:\Program Files\TwonkyMedia\twonkymedia.exe:*:Enabled:TwonkyMedia

[2008/02/28 17:38:38 | 05,055,784 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero MediaHome\NeroMediaHome.exe:*:Enabled:Nero MediaHome (1)

[2008/02/28 17:38:38 | 04,470,056 | ---- | M] (Nero AG) -- C:\Program Files\Nero\Nero8\Nero MediaHome\NMMediaServer.exe:*:Enabled:Nero MediaHome (2)

[2008/03/06 12:50:59 | 00,050,528 | ---- | M] (AOL LLC) -- C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM

[2007/07/24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour

[2008/07/10 09:51:26 | 20,246,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes

File not found -- C:\Program Files\MusicBrainz Picard\picard.exe:*:Enabled:The next generation MusicBrainz tagger

[2004/08/03 23:56:55 | 00,033,280 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rundll32.exe:*:Enabled:rundll32

[2002/09/03 11:34:39 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe:*:Enabled:cidaemon

[2003/09/28 17:30:08 | 00,110,592 | ---- | M] () -- C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\Wrapper.exe:*:Enabled:wrapper

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium

"{003447F5-0058-4B77-9C1E-50488F77C4A7}" = Brother P-touch Editor 4.2

"{0046FA01-C5B9-4985-BACB-398DC480FC05}" = Adobe Photoshop CS3

"{0224CACC-994D-45F8-B973-D65056EA9C2F}" = Adobe XMP DVA Panels CS3

"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update

"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting

"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime

"{0A3D355B-4FCC-41AF-8C61-A2BA15D26237}" = Adobe After Effects CS3

"{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}" = Scan

"{14BEB6DF-A499-4A38-8E06-E173BCD5C087}" = ScannerCopy

"{17293791-C82E-476C-9997-9A0FF234A19B}" = HP Product Assistant

"{181821B7-82AA-44DA-9DAF-EF254CCB670A}" = Fax

"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin

"{185D0A67-E066-44AE-926D-F6305813301C}" = Adobe After Effects CS3 Presets

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}" = TrayApp

"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2

"{279449D6-CAF6-47F9-A28B-319FEEE4331B}" = Eudora

"{29E5EA97-5F74-4A57-B8B2-D4F169117183}" = Adobe Stock Photos CS3

"{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}" = Unload

"{2EFFFC71-1E66-454E-A6E6-CEEC800B96D2}" = Adobe Flash Video Encoder

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{342C7C88-D335-4bc2-8CF1-281857629CE2}" = HP PSC & OfficeJet 4.7

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}" = ProductContext

"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup

"{3C5F1B30-B10B-4579-86DD-D00F662E1033}" = Nero 8

"{442BE28B-782B-4DC0-B490-E70A403B1C69}" = Readme

"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour

"{50F102CA-4BE2-41A9-9810-5BB05EB91B9A}" = Adobe Premiere Pro CS3 Functional Content

"{51846830-E7B2-4218-8968-B77F0FF475B8}" = Adobe Color EU Extra Settings

"{54793AA1-5001-42F4-ABB6-C364617C6078}" = Adobe Linguistics CS3

"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml

"{5D6EC6F7-9B38-4a02-B063-97C2048B56A2}" = 7200_Help

"{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1}" = Roxio Media Manager

"{64B7E533-21EC-4DB3-95DE-6D2DDE81F855}" = Adobe Soundbooth CS3

"{64C1FA9A-FA94-4B6E-B3E4-8573738E4AD1}" = Adobe Setup

"{64FC0C98-B035-4530-B15D-3D30610B6DF1}" = HP Software Update

"{655CB07D-C944-40BE-B93F-55957CAC7625}" = AiO_Scan

"{68963635-14A4-48D9-B431-DF3A74D1AAE1}" = Destinations

"{6A5D1A94-624A-4D20-B178-3A283B500370}" = Adobe Setup

"{6ABE0BEE-D572-4FE8-B434-9E72A289431B}" = Adobe Fonts All

"{6B52140A-F189-4945-BFFC-DB3F00B8C589}" = Adobe Flash CS3

"{6B708481-748A-4EB4-97C1-CD386244FF77}" = Adobe MotionPicture Color Files

"{6BBAA81D-6A7E-43AD-8889-2F002DCAAFDD}" = AHV content for Acrobat and Flash

"{6D4AC5A4-4CF9-4F90-8111-B9B53CE257BF}" = Adobe Color Common Settings

"{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}" = Adobe Asset Services CS3

"{700A6597-3CE6-49C1-AA75-846B24CDA66D}" = BufferChm

"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0

"{7162AC2C-733F-4127-ACAD-C5F0F27D123D}" = Adobe Creative Suite 3 Master Collection

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{7ACFB90E-8FD0-4397-AD3A-5195412623A3}" = Adobe Help Viewer CS3

"{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}" = HPSystemDiagnostics

"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec

"{7C10F5C7-F00F-4BD3-A110-C7D240D2DD25}" = Adobe Dreamweaver CS3

"{7CCC6E23-0E35-480B-8F0C-8D06F882D5D3}" = Brother QL-Series User's Guide

"{7D62C409-EA5C-40E3-954E-AD4923250923}" = Adobe Encore CS3 Library

"{7DFC1012-D346-46CE-B03E-FF79125AE029}" = Adobe Fireworks CS3

"{802771A9-A856-4A41-ACF7-1450E523C923}" = Adobe XMP Panels CS3

"{80C13322-2085-49F5-8B19-2A9FA20F14E9}" = Adobe After Effects CS3 Template Projects & Footage

"{81C71501-D10F-4DE8-AFD9-E718E82B1D41}_is1" = TextEdit 2.1

"{845A8DB9-8802-4FD3-9FE3-938A6C46A2EC}" = Adobe Video Profiles

"{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}" = AiOSoftware

"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder

"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player

"{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}" = Adobe Device Central CS3

"{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}" = Adobe Type Support

"{8F7A4D82-B168-4F89-99C2-B9873EC877AF}" = HP Image Zone Express

"{90176341-0A8B-4CCC-A78D-F862228A6B95}" = Adobe Anchor Service CS3

"{90849E84-F026-4638-A184-E6FCFD472C34}" = Brother P-touch Software

"{92A300C0-E97B-48CC-9702-AB1AAED167E1}" = Adobe Soundbooth CS3 Scores

"{95655ED4-7CA5-46DF-907F-7144877A32E5}" = Adobe Color NA Recommended Settings

"{98E9B724-0E62-4812-B6CC-C6A228BBC562}" = Brother P-touch Address Book 1.0

"{9BA4F9C5-7CB4-492C-9B97-89E36AFA0AB9}" = Adobe Setup

"{9C9824D9-9000-4373-A6A5-D0E5D4831394}" = Adobe Bridge CS3

"{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}" = Adobe CMaps

"{A2D81E70-2A98-4A08-A628-94388B063C5E}" = Adobe Color - Photoshop Specific

"{A6CDBEB9-2DF5-4455-A647-F3DF0441D5C3}" = Adobe Premiere Pro CS3

"{A7391302-FADF-4314-80DC-C757DAE45178}" = 7200

"{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}" = PDF Settings

"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0

"{AC966B90-53CA-4710-8EEE-57ED25387872}" = 7200Trb

"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter

"{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}" = Adobe Camera Raw 4.0

"{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}" = Adobe Setup

"{B671CBFD-4109-4D35-9252-3062D3CCB7B2}" = Adobe SING CS3

"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player

"{B73CFB12-C814-4638-AFFD-7E3AAFAF0B4E}" = Adobe BridgeTalk Plugin CS3

"{B911B811-BA3E-46D4-90F8-6F3338359651}" = Director

"{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}" = Adobe Default Language CS3

"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer

"{BE5F3842-8309-4754-92D5-83E02E6077A3}" = Adobe Extension Manager CS3

"{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3

"{C347D234-93D8-4595-BDAA-C04638B23B48}" = Adobe Creative Suite 3 Web Premium

"{C5BD220A-EFE8-48A5-B70E-9503D535FACE}" = Adobe WAS CS3

"{CB3F8375-B600-4B9F-83C9-238ED1E583FD}" = Adobe InDesign CS3

"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition

"{CDFCF124-115F-4976-8BF4-08C89187A146}" = WebReg

"{D0DFF92A-492E-4C40-B862-A74A173C25C5}" = Adobe Version Cue CS3 Client

"{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}" = Adobe PDF Library Files

"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD

"{DD362256-A7A2-4524-9457-213DDC2AFC2A}" = Adobe After Effects 7.0

"{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}" = Adobe Color JA Extra Settings

"{E69AE897-9E0B-485C-8552-7841F48D42D8}" = Adobe Update Manager CS3

"{EA7B3CC4-366D-4CF6-8350-FD7A7034116E}" = Adobe InDesign CS3 Icon Handler

"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}" = iTunes

"{F08E8D2E-F132-4742-9C87-D5FF223A016A}" = Adobe Illustrator CS3

"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX

"{FC9E08AA-CD59-4C59-BEF9-87E05B9E37D7}" = Adobe Contribute CS3

"{FE434300-A311-4BE1-93BA-B74BC8C4017B}" = Windows Live FolderShare Beta

"733fc5aa09f6ebe167e13d69c7dc4e7f" = Promise WebPAM 2.0

"Adobe After Effects 7.0" = Adobe After Effects 7.0

"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Adobe_247961ef275e20c5cb073c36394ac32" = Add or Remove Adobe Creative Suite 3 Web Premium

"Adobe_3e054d2218e7aa282c2369d939e58ff" = Adobe ExtendScript Toolkit 2

"Adobe_6c8e2cb4fd241c55406016127a6ab2e" = Adobe Color Common Settings

"Adobe_8bb24e071e5922899698c2105557bd2" = Add or Remove Adobe Creative Suite 3 Master Collection

"AIM_6" = AIM 6

"BlackBerry_{C178B38F-613A-4EFE-B718-A675BD27A1E1}" = BlackBerry Desktop Software 4.3

"CCleaner" = CCleaner (remove only)

"DAZzle" = DAZzle

"Dropbox" = Dropbox

"DVD Shrink_is1" = DVD Shrink 3.2

"FastStone Capture" = FastStone Capture 6.0

"HijackThis" = HijackThis 2.0.2

"HP Photo & Imaging" = HP Image Zone 4.7

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"InstallShield_{003447F5-0058-4B77-9C1E-50488F77C4A7}" = Brother P-touch Editor 4.2

"InstallShield_{7CCC6E23-0E35-480B-8F0C-8D06F882D5D3}" = Brother QL-Series User's Guide

"InstallShield_{98E9B724-0E62-4812-B6CC-C6A228BBC562}" = Brother P-touch Address Book 1.0

"IrfanView" = IrfanView (remove only)

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0

"Mozilla Firefox (3.0.4)" = Mozilla Firefox (3.0.4)

"Mozilla Firefox (3.0.5)" = Mozilla Firefox (3.0.5)

"Mozilla Thunderbird (2.0.0.18)" = Mozilla Thunderbird (2.0.0.18)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"NVIDIA Display Driver" = NVIDIA Display Driver

"Picasa 3" = Picasa 3

"PROSet" = Intel® PRO Ethernet Adapter and Software

"ViewpointMediaPlayer" = Viewpoint Media Player

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows Media Player" = Windows Media Player 11

"Windows XP Service Pack" = Windows XP Service Pack 2

"WinRAR archiver" = WinRAR archiver

"WMFDist11" = Windows Media Format 11 runtime

"wmp11" = Windows Media Player 11

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1060284298-839522115-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 7/11/2008 2:32:20 AM | Computer Name = STEVE | Source = Application Hang | ID = 1002

Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/11/2008 2:32:20 AM | Computer Name = STEVE | Source = Application Hang | ID = 1002

Description = Hanging application wmplayer.exe, version 11.0.5721.5145, hang module

hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/12/2008 12:56:28 AM | Computer Name = STEVE | Source = Application Error | ID = 1000

Description = Faulting application explorer.exe, version 6.0.2900.3156, faulting

module msvcr80.dll, version 8.0.50727.762, fault address 0x00014d98.

Error - 7/28/2008 2:23:37 AM | Computer Name = STEVE | Source = Ci | ID = 4124

Description = Content index on c:\system volume information\catalog.wci is corrupt.

Please shutdown and restart the Indexing Service (cisvc).

Error - 7/28/2008 2:23:37 AM | Computer Name = STEVE | Source = Ci | ID = 4126

Description = Cleaning up corrupt content index metadata on c:\system volume information\catalog.wci.

Index will be automatically restored by refiltering all documents.

Error - 7/28/2008 12:44:36 PM | Computer Name = STEVE | Source = MsiInstaller | ID = 11722

Description = Product: Roxio Media Manager -- Error 1722.There is a problem with

this Windows Installer package. A program run as part of the setup did not finish

as expected. Contact your support personnel or package vendor. Action DWUS_Schedule.C3A146F5_4B48_11D5_A819_00B0D0428C0C,

location: C:\Program Files\Common Files\InstallShield\UpdateService\, command:

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe /ssi{5EED93A8-33AD-46A7-A6AC-4DEAFBEFEEE1},30:

Default

Error - 7/28/2008 12:44:36 PM | Computer Name = STEVE | Source = MsiInstaller | ID = 11719

Description = Product: Roxio Media Manager -- Error 1719.The Windows Installer Service

could not be accessed. This can occur if you are running Windows in safe mode,

or if the Windows Installer is not correctly installed. Contact your support personnel

for assistance.

[ System Events ]

Error - 12/14/2008 10:54:55 PM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT OMCI pctfw2 RasAcd Rdbss SASDIFSV SASKUTIL Tcpip

WS2IFSL

Error - 12/14/2008 11:02:26 PM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1084" attempting to start the service EventSystem

with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/16/2008 7:07:01 AM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1058" attempting to start the service wuauserv with

arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/16/2008 7:14:31 AM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

mvSata PCIIde

Error - 12/17/2008 11:56:07 PM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1058" attempting to start the service wuauserv with

arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/20/2008 3:24:31 PM | Computer Name = STEVE | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

mvSata PCIIde

Error - 12/22/2008 1:51:06 AM | Computer Name = STEVE | Source = DCOM | ID = 10005

Description = DCOM got error "%1058" attempting to start the service wuauserv with

arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 12/22/2008 5:35:55 AM | Computer Name = STEVE | Source = PlugPlayManager | ID = 12

Description = The device 'Promise 2X2 Mirror/RAID1 SCSI Disk Device' (SCSI\Disk&Ven_Promise&Prod_2X2_Mirror/RAID1&Rev_1.10\6&30f6ec26&0&000)

disappeared from the system without first being prepared for removal.

Error - 12/22/2008 5:35:56 AM | Computer Name = STEVE | Source = Promise Napa I2API | ID = 512

Description = Logical drive "PROMISE LD " goes offline

Error - 12/22/2008 5:35:56 AM | Computer Name = STEVE | Source = Promise Napa I2API | ID = 512

Description = Logical drive "PROMISE LD " goes offline

< End of report >

Link to post
Share on other sites

  • Root Admin

Your system has files on it that MBAM already detects and removes so that leads me to believe you may have something cloaked running that is preventing MBAM from removing it or it's a new variant of an old infection.

STEP 01

For now please rename or delete your HOSTS file located here:

C:\WINDOWS\system32\drivers\etc\hosts

STEP 02

Please upload this file for review here

C:\WINDOWS\SYSTEM32\digeste.dll

STEP 03

ERUNT Registry Backup and Restore for Windows

Please download ERUNT and backup your Registry before proceeding. ERUNT

Do not place it in the Startup folder as it requests at least for now.

STEP 04

The file above is referenced here and does not belong here in the registry.

After backing up the Registry click on START - RUN - and type in REGEDIT then browse to this location.

Double-click on the SecurityProviders key and remove the digeste.dll entry.

Make sure you leave the comma on the end. ,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]

"SecurityProviders" = msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

It should look like this

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

STEP 05

Open My Computer and browse to this file and delete it. C:\WINDOWS\tasks\qzxmxtji.job

STEP 06

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Update Java Runtime

The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 11.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 11 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u11-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

STEP 07

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

STEP 08

Reboot the computer and run HJT scan and save log.

STEP 09

Post back MBAM and HJT logs.

Link to post
Share on other sites

MBAM LOG

Malwarebytes' Anti-Malware 1.31

Database version: 1542

Windows 5.1.2600 Service Pack 2

12/24/2008 4:07:01 PM

mbam-log-2008-12-24 (16-07-01).txt

Scan type: Quick Scan

Objects scanned: 62105

Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Java.Ra.log

JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Dec 24 15:54:24 2008

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Classes\JavaPlugin.160_05

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_05

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_05

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610005

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160050}

Found and removed: Software\Classes\JavaPlugin.160_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_05

Found and removed: Software\JavaSoft\Java2D\1.6.0_05

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_05

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_05\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13\

------------------------------------

Finished reporting.

Link to post
Share on other sites

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:10:07 PM, on 12/24/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll

O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 5970 bytes

Link to post
Share on other sites

  • Root Admin

Well it is the Holidays and most helpers are away with Family and Friends.

I will be out of Town until Monday but please run the following while I'm away and I'll assist you further when I return.

The logs look reasonably good. How is the system running now? Is there still any sign of Malware ?

Please run this AntiVirus tool

Download to the desktop: Dr.Web CureIt

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply with a new hijackthis log.

Then let me know if it finds anything and how the computer is working now.

Thanks, and I'll be back on Monday to assist you further.

Link to post
Share on other sites

Hi, yeah thanks, I was a bit away myself.

I ran MBAM again, and it still came up with the vundo virus.

Malwarebytes' Anti-Malware 1.31

Database version: 1556

Windows 5.1.2600 Service Pack 2

12/27/2008 1:59:18 PM

mbam-log-2008-12-27 (13-59-18).txt

Scan type: Quick Scan

Objects scanned: 62095

Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So i ran search and destroy and i found a couple things, and i deleted those.

Now i am running the Dr Web, and it found some things, but it's going to be a while till it finishes... I will post it up when its done.

Thanks again, and happy holidays

Link to post
Share on other sites

HIJACK LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:49:01 PM, on 12/27/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 5502 bytes

Link to post
Share on other sites

DR WEB LOG

uninst.exe;C:\Program Files\DAEMON Tools Lite;Archive contains infected objects;Moved.;

data002\data001;C:\Program Files\DAEMON Tools Lite\uninst.exe\data002;Adware.Shopper;;

data002\data002;C:\Program Files\DAEMON Tools Lite\uninst.exe\data002;Adware.SaveNow.128;;

pldr7[1].htm;C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\79I8NNMY;Trojan.Virtumod.1461;Deleted.;

data002;C:\Program Files\DAEMON Tools Lite\uninst.exe;Archive contains infected objects;;

Link to post
Share on other sites

Then i did another MBAM Scan:

Malwarebytes' Anti-Malware 1.31

Database version: 1556

Windows 5.1.2600 Service Pack 2

12/27/2008 8:54:39 PM

mbam-log-2008-12-27 (20-54-39).txt

Scan type: Quick Scan

Objects scanned: 62717

Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Is it time to just wipe my HD?

Link to post
Share on other sites

  • Root Admin

Please run REGEDIT and browse to this key: HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4}

Then click on PERMISSIONS (you may need to boot into SAFE MODE if this is Windows XP Home Edition)

Go to the OWNERSHIP tab and set the OWNER to an Administrator account and apply the changes.

Then check PERMISSIONS again and make sure the Administrator account has FULL rights and try to delete that key.

If you're not comfortable doing this let me know and I can provide more detailed instructions.

Let me know how it goes.

Link to post
Share on other sites

  • Root Admin

Okay, sorry for the delay - if you still need help please run the following and post back.

STEP01

Run this file to repair file and registry permissions

fixacl.exe

STEP02

Run this file after to remove an invalid startup entry. Double click and say Yes to import the settings.

clearinit.reg

STEP03

Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

The RESTART the computer again and AFTER the restart run HJT Scan and Save log and post back all NEW logs.

Link to post
Share on other sites

hello, thanks again...

MBAM logs (still infected (!))

Malwarebytes' Anti-Malware 1.32

Database version: 1621

Windows 5.1.2600 Service Pack 3

1/5/2009 7:41:27 PM

mbam-log-2009-01-05 (19-41-27).txt

Scan type: Quick Scan

Objects scanned: 65399

Time elapsed: 1 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:45:53 PM, on 1/5/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Promise\WebPAM 2.0\_jvm\bin\java.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Mozilla Firefox3\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\steve\Local Settings\Application Data\FolderShare\FolderShare.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1229938396765

O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c2/v21.120/qboax10.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Promise WebPAM (PromiseWebPAM) - Unknown owner - C:\Program Files\Promise\WebPAM 2.0\jetty\extra\win32\wrapper.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 5567 bytes

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.