Jump to content


Photo

rundll32.exe error need help please (Resolved)


  • This topic is locked This topic is locked
22 replies to this topic

#1 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 23 October 2009 - 12:12 PM

The error I get on start up is:
"The application or DLL c:DOCUME~1\owner\ntuser.dll is not a valid Windows image. Please check this against your instillation diskett."
If I clikc "OK" I am able to use the Internet and check emails etc.
This ploblem started last weekend, when I picked up a virus.

I have an eMachines computer, with McAfee security suite. I picked up a virus last weekend, surfing the Internet. I seem to have removed most of it with Malawarebytes, McA, and Spybot have all been updated and ran with averything removed that they find. I also have Windows XP with SP3, Home Ed. ver. 2002.
Below is my logs:

info.txt logfile of random's system information tool 1.06 2009-10-23 12:48:14

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-aware 6 Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe Shockwave Player 11.5-->C:\WINDOWS\system32\Adobe\uninstaller.exe
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
AI RoboForm (All Users)-->"C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
ArcSoft Camera Suite 1.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9
ArcSoft PhotoImpression 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9
Bicycle Casino-->"C:\Program Files\Microsoft Games\Bicycle Casino\UNINSTAL.EXE" /runtemp /addremove
CalorieKing.com Diet Diary for PalmOS-->C:\Program Files\CalorieKing.com Diet Diary for PalmOS\Uninst.exe
Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B9B9863A-32FD-4133-ADB7-46244ED77694} /l1033
Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}
Canon iP1800 series User Registration-->C:\Program Files\Canon\IJEREG\iP1800 series\UNINST.EXE
Canon iP1800 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series /L0x0009
Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE286975-ACF1-45B8-9EF7-34E162B2C817}
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}
Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9518F764-C54D-47B2-9E73-154B21E79FD2}
Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2C164906-E68F-462A-9010-70DD022223EF}
Canon Utilities Easy-LayoutPrint-->C:\Program Files\Canon\Easy-LayoutPrint\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}
Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}
Creative Removable Disk Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove
Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove
Creative ZEN V Series (R2)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove
Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}
EasyGPS-->"C:\Program Files\EasyGPS\unins000.exe"
EPSON CX 4200 4800 Guide-->C:\Program Files\epson\guide\cx4200_4800_e\uninstall.exe
EPSON PhotoCenter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D21553E9-2EC5-4E8C-AB71-07AC07D50BBC}\setup.exe" -l0x9 anything
EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
Garmin Communicator Plugin-->MsiExec.exe /X{14C9AE19-4254-4280-ACD3-E159231DC2CD}
Garmin Trip and Waypoint Manager v3-->MsiExec.exe /X{5414086B-AE06-4332-8A59-26FF0F630D1B}
GeoBuddy-->"C:\Program Files\GeoBuddy\unins000.exe"
Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Java™ 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSource - US Topo v3.02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD4203ED-7683-435E-B436-C299773A9936}\setup.exe" -l0x9 AddRemove
Masque Slots - IGT and MultiPlay Video Poker-->C:\Program Files\MasqueGames\uninstall.exe "Masque Slots - IGT and MultiPlay Video Poker.ilg"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Virtual Technician-->MsiExec.exe /I{49FA793C-785E-47E9-93DF-BD442B0B45D1}
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}
Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Move Networks Player for Internet Explorer-->"C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\unins000.exe"
MSN Money Investment Toolbox-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:5
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Napster for Windows Media Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF2606C7-63AF-40F4-8919-F2EC654ACC91}\setup.exe" -l0x9
Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL
Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers-->C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI
NvMixer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\setup.exe" -uninstall
OverDrive Media Console-->MsiExec.exe /I{16D9439B-DF3D-43D1-A727-4B335300D07A}
Palm-->MsiExec.exe /X{0030188A-533E-42EE-9837-E044F10E4369}
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}
RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
SoftV92 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Swag_Bucks Toolbar-->C:\PROGRA~1\SWAG_B~1\UNWISE.EXE /U C:\PROGRA~1\SWAG_B~1\INSTALL.LOG
Turbo Lister 2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
VIP Casino-->C:\WINDOWS\system32\UnCasino5.exe VIPCasinoV8
Walmart Digital Photo Manager-->MsiExec.exe /X{24A71701-4BFD-4228-97B3-7D739195EC67}
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10 Hotfix - KB895316-->"C:\WINDOWS\$NtUninstallKB895316$\spuninst\spuninst.exe"
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
ZENcast Organizer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: McAfee VirusScan
FW: McAfee Personal Firewall

======System event log======

Computer Name: YOUR-3F22C8F6FB
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 66440
Source Name: Service Control Manager
Time Written: 20091021214729.000000-240
Event Type: error
User:

Computer Name: YOUR-3F22C8F6FB
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 66437
Source Name: Service Control Manager
Time Written: 20091021214729.000000-240
Event Type: error
User:

Computer Name: YOUR-3F22C8F6FB
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 66434
Source Name: Service Control Manager
Time Written: 20091021214729.000000-240
Event Type: error
User:

Computer Name: YOUR-3F22C8F6FB
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 66431
Source Name: Service Control Manager
Time Written: 20091021214729.000000-240
Event Type: error
User:

Computer Name: YOUR-3F22C8F6FB
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 66428
Source Name: Service Control Manager
Time Written: 20091021214729.000000-240
Event Type: error
User:

=====Application event log=====

Computer Name: YOUR-3F22C8F6FB
Event Code: 11706
Message: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.

Record Number: 5509
Source Name: MsiInstaller
Time Written: 20080323162446.000000-240
Event Type: error
User: YOUR-3F22C8F6FB\Owner

Computer Name: YOUR-3F22C8F6FB
Event Code: 1001
Message: Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'TCWP5Files' failed during request for component '{CC29EC7F-7BC2-11D1-A921-00A0C91E2AA2}'

Record Number: 5508
Source Name: MsiInstaller
Time Written: 20080323162421.000000-240
Event Type: warning
User: YOUR-3F22C8F6FB\Owner

Computer Name: YOUR-3F22C8F6FB
Event Code: 1002
Message: Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 5470
Source Name: Application Hang
Time Written: 20080221223752.000000-300
Event Type: error
User:

Computer Name: YOUR-3F22C8F6FB
Event Code: 1000
Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

Record Number: 5469
Source Name: Application Error
Time Written: 20080221223704.000000-300
Event Type: error
User:

Computer Name: YOUR-3F22C8F6FB
Event Code: 1000
Message: Faulting application iexplore.exe, version 7.0.6000.16608, faulting module unknown, version 0.0.0.0, fault address 0x60b47930.

Record Number: 5468
Source Name: Application Error
Time Written: 20080221223658.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip

-----------------EOF-----------------

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-10-23 12:47:18
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 100 GB (90%) free of 111 GB
Total RAM: 447 MB (24% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:48:09 PM, on 10/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Updater.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ezanga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Jzohucefuhel] rundll32.exe "C:\WINDOWS\arasozid.dll",Startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Owner\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O18 - Filter hijack: text/html - {6972fcb5-d682-4b8a-bf92-263bae751780} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: nisuyiko.dll c:\windows\system32\zilolowa.dll
O21 - SSODL: tiyiwohov - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 10993 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\McAfeeQuickClean.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2234B15-23F2-42AD-F4E4-00AAC39C0004}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-21 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-21 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-07-05 5751624]
{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - Swag Bucks Toolbar - C:\Program Files\Swag_Bucks\tbSwag.dll [2009-08-30 2259480]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
""= []
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]
"iRiver Updater"=\Updater.exe [2004-07-01 212992]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-07-12 4112384]
"SunKistEM"=C:\Program Files\Digital Media Reader\shwiconem.exe [2004-10-18 135168]
"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]
"nwiz"=nwiz.exe /install []
"NVMixerTray"=C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe [2004-06-04 131072]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2004-07-12 81920]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"EPSON Stylus CX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE [2005-02-01 98304]
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-07 15872]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-09-17 645328]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2006-10-16 1197648]
"Jzohucefuhel"=C:\WINDOWS\arasozid.dll [2008-04-13 163328]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-21 149280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotSnD"=C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 5365592]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"calc"=C:\DOCUME~1\Owner\ntuser.dll,_IWMPEvents@0 []
"Yjafosi8kdf98winmdkmnkmfnwe"=C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe []
"Login Software 2009"=C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe []
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
HotSync Manager.LNK - C:\Program Files\Palm\Hotsync.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="nisuyiko.dll c:\windows\system32\zilolowa.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
tiyiwohov - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
gahurihor - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
velijiko.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"LockTaskbar"=1
"NoBandCustomize"=0
"NoMovingBands"=0
"NoCloseDragDropBands"=0
"NoActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\NETGEAR\WG111T\wlan111t.exe"="C:\Program Files\NETGEAR\WG111T\wlan111t.exe:*:Enabled:NETGEAR Smart Wizard"
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2009-10-23 12:47:20 ----D---- C:\Program Files\trend micro
2009-10-23 12:47:18 ----D---- C:\rsit
2009-10-21 21:58:06 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-21 21:58:05 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-21 21:58:05 ----A---- C:\WINDOWS\system32\java.exe
2009-10-20 21:26:46 ----HD---- C:\$AVG
2009-10-20 21:24:17 ----D---- C:\Program Files\AVG
2009-10-20 21:24:08 ----D---- C:\Documents and Settings\All Users\Application Data\avg9
2009-10-19 18:15:25 ----A---- C:\WINDOWS\isRS-000.tmp
2009-10-18 08:33:46 ----A---- C:\WINDOWS\PCTBDCore.dll
2009-10-18 08:30:44 ----D---- C:\Program Files\Common Files\PC Tools
2009-10-17 17:06:48 ----A---- C:\bqef

#2 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 24 October 2009 - 04:17 PM

Hi and welcome


While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [Jzohucefuhel] rundll32.exe "C:\WINDOWS\arasozid.dll",Startup
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Owner\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe

O18 - Filter hijack: text/html - {6972fcb5-d682-4b8a-bf92-263bae751780} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: nisuyiko.dll c:\windows\system32\zilolowa.dll
O21 - SSODL: tiyiwohov - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


OTM
Download OTM by OldTimer Here & save it to your desktop.
  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error
:Files
C:\bqefoh.exe
c:\windows\system32\zilolowa.dll
C:\WINDOWS\arasozid.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jzohucefuhel"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"=-
"Yjafosi8kdf98winmdkmnkmfnwe"=-
"Login Software 2009"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tiyiwohov"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
"gahurihor"=- 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="" 
:Commands
[purity]
[emptytemp]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.
A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**

Download Combofix from any of the links below but rename it to sandek1.exe before saving it to your desktop.

Link 1
Link 2


Posted Image


Posted Image

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

MCAFEE ANTIVIRUS
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.

  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
MCAFEE SECURITY CENTER 7.1
Please navigate to the system tray and double-click the taskbar icon to open Security Center.
  • Click Advanced Menu (bottom mid-left).
  • Click Configure (left).
  • Click Computer & Files (top left).
  • VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
  • Do the same via Internet & Network for Firewall Plus.

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingc...opic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

Posted Image

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Posted Image


No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.




In your next reply post:
OTM log
ComboFix.txt
You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#3 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 24 October 2009 - 09:03 PM

Hi Juliet and thank you so much for your help! Here is my OTM log and I will post ComboFix seperately. All processes killed ========== FILES ========== File/Folder C:\bqefoh.exe not found. File/Folder c:\windows\system32\zilolowa.dll not found. DllUnregisterServer procedure not found in C:\WINDOWS\arasozid.dll C:\WINDOWS\arasozid.dll NOT unregistered. C:\WINDOWS\arasozid.dll moved successfully. File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe not found. File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe not found. ========== REGISTRY ========== Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Jzohucefuhel deleted successfully. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\calc not found. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Yjafosi8kdf98winmdkmnkmfnwe not found. Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Login Software 2009 not found. Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\tiyiwohov not found. Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\gahurihor not found. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully! ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 32768 bytes User: LocalService File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot. ->Temp folder emptied: 66252 bytes ->Temporary Internet Files folder emptied: 422767 bytes User: NetworkService ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 1319284 bytes User: Owner ->Temp folder emptied: 3810266 bytes ->Temporary Internet Files folder emptied: 110028526 bytes ->Java cache emptied: 199717049 bytes %systemdrive% .tmp files removed: 0 bytes C:\WINDOWS\msdownld.tmp folder deleted successfully. %systemroot% .tmp files removed: 713329 bytes %systemroot%\System32 .tmp files removed: 2577 bytes File delete failed. C:\WINDOWS\temp\mcmsc_adz3TAzemKgjpTY scheduled to be deleted on reboot. File delete failed. C:\WINDOWS\temp\mcmsc_XCk0XiASHe4CBSF scheduled to be deleted on reboot. Windows Temp folder emptied: 16368174 bytes RecycleBin emptied: 714936 bytes Total Files Cleaned = 317.76 mb OTM by OldTimer - Version 3.0.0.6 log created on 10242009_205914 Files moved on Reboot... File C:\WINDOWS\temp\mcmsc_adz3TAzemKgjpTY not found! File C:\WINDOWS\temp\mcmsc_XCk0XiASHe4CBSF not found! Registry entries deleted on Reboot...

#4 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 24 October 2009 - 09:07 PM

My ComboFix log is below. I did renamed it to sandek1.ext but did not get the save file window to rename it as Combo-Fix. If this will create inacurrate results please let me know how to do that step again. Thanks, Kathy
ComboFix 09-10-24.01 - Owner 10/24/2009 21:39.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.63 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\sandek1.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\ZbThumbnail.info
c:\documents and settings\Owner\ntuser.dll
c:\program files\Shared
c:\recycler\S-1-5-21-1658258789-744366993-357489556-1003
c:\windows\Downloaded Program Files\Temp
c:\windows\Install.txt
c:\windows\system32\hakodame.dll
c:\windows\system32\Install.txt
c:\windows\system32\isapeep.sys
c:\windows\system32\lobawera.dll
c:\windows\system32\mijikive.dll
c:\windows\system32\mubafuju.dll
c:\windows\system32\ruhulimi.dll
c:\windows\system32\tehepepa.dll
c:\windows\system32\varupadi.dll
c:\windows\system32\vilohora.dll
c:\windows\system32\vupihaba.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Service_6to4
-------\Legacy_isapeep
-------\Service_isapeep


((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 00:59 . 2009-10-25 00:59 -------- d-----w- C:\_OTM
2009-10-23 16:48 . 2009-10-23 16:48 -------- d-----w- C:\PCPitLogs_HJT
2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- c:\program files\trend micro
2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- C:\rsit
2009-10-21 01:26 . 2009-10-21 01:26 -------- d-----w- C:\$AVG
2009-10-21 01:24 . 2009-10-21 01:24 -------- d-----w- c:\program files\AVG
2009-10-21 01:24 . 2009-10-21 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-18 12:54 . 2009-10-18 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-10-18 12:33 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-18 12:30 . 2009-10-19 23:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-17 21:11 . 2009-10-24 12:09 0 ----a-w- c:\windows\Evamuram.bin
2009-10-17 21:11 . 2009-10-24 23:43 120 ----a-w- c:\windows\Mladuwenuqav.dat
2009-10-17 21:11 . 2009-10-17 21:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{E207B15C-B565-4B5E-A5CB-227065006227}
2009-10-01 00:55 . 2009-10-25 01:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 01:41 . 2006-08-31 11:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 01:32 . 2006-08-31 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 01:57 . 2009-06-24 02:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-22 01:57 . 2005-01-20 23:18 -------- d-----w- c:\program files\Java
2009-10-21 14:06 . 2007-05-25 00:51 -------- d-----w- c:\program files\McAfee
2009-10-19 23:39 . 2009-06-25 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 23:36 . 2005-10-31 03:44 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-19 23:30 . 2007-11-02 02:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-18 13:02 . 2005-10-31 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2009-10-18 13:01 . 2005-01-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-18 02:29 . 2007-10-09 01:42 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:22 . 2007-05-25 00:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-05-25 00:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-05-25 00:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-05-25 00:52 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-05-25 00:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-06-25 22:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-25 22:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Swag_Bucks
2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Conduit
2009-08-30 19:49 . 2009-08-30 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ieSpell
2009-08-29 07:36 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-26 16:12 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 05:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe
2005-10-31 04:52 . 2005-10-31 04:52 0 -csha-w- c:\windows\SMINST\HPCD.sys
2009-07-17 21:13 . 2009-07-17 21:13 24576 --sha-w- c:\windows\system32\fipuyuko.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-22 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/17/2007 8:54 PM 17149]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\McAfeeQuickClean.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ezanga.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: dana.com\psselfserve
Trusted Zone: internet
Trusted Zone: malwarebytes.com\www
Trusted Zone: malwarebytes.org\www
Trusted Zone: malwaresupport.com
Trusted Zone: mcafee.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-CalorieKing.com Diet Diary for PalmOS - c:\program files\CalorieKing.com



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-24 21:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\sandek1\CF8987.exe
C:\Updater.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\sandek1\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 21:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 01:56

Pre-Run: 105,027,121,152 bytes free
Post-Run: 104,886,927,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C785BE5F19D633324B9999C8F75ACDA5

#5 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 25 October 2009 - 05:44 AM

Welcome back

I did renamed it to sandek1.ext but did not get the save file window to rename it as Combo-Fix. If this will create inacurrate results please let me know how to do that step again. Thanks, Kathy

I posted the pictures as a guide and what you renamed to worked so theres no problem.

How's the computer performing now?

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.


******
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::
c:\windows\Evamuram.bin
c:\windows\Mladuwenuqav.dat
c:\windows\system32\fipuyuko.exe
DRIVER::
BtwSrv
NetSvc::
BtwSrv

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


NEXT**
Please do the following:
  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.



In your next reply post:
ComboFix.txt
Malwarebytes' Anti-Malware log
Kaspersky log
New HJT log


You may need several replies to post the requested logs, otherwise they might get cut off.
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#6 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 25 October 2009 - 12:50 PM

Hi Again! My computer is running slow, but the Rundll32 error is gone. Below is my ComboFix log and I will add the other logs in seperate posts.
When ComboFix was doind a re-start, I did get this error message: Reg 2 exe, Error: file damaged.
Here is the log:

ComboFix 09-10-24.06 - Owner 10/25/2009 12:16.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.242 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\sandek1.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Evamuram.bin"
"c:\windows\Mladuwenuqav.dat"
"c:\windows\system32\fipuyuko.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Evamuram.bin
c:\windows\Mladuwenuqav.dat
c:\windows\system32\fipuyuko.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV


((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))
.

2009-10-25 16:12 . 2009-10-25 16:13 -------- d-----w- C:\sandek1
2009-10-25 00:59 . 2009-10-25 00:59 -------- d-----w- C:\_OTM
2009-10-23 16:48 . 2009-10-23 16:48 -------- d-----w- C:\PCPitLogs_HJT
2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- c:\program files\trend micro
2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- C:\rsit
2009-10-21 01:26 . 2009-10-21 01:26 -------- d-----w- C:\$AVG
2009-10-21 01:24 . 2009-10-21 01:24 -------- d-----w- c:\program files\AVG
2009-10-21 01:24 . 2009-10-21 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-18 12:54 . 2009-10-18 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2009-10-18 12:33 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-10-18 12:30 . 2009-10-19 23:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-10-17 21:11 . 2009-10-17 21:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{E207B15C-B565-4B5E-A5CB-227065006227}
2009-10-01 00:55 . 2009-10-25 01:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-23 01:41 . 2006-08-31 11:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-23 01:32 . 2006-08-31 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-22 01:57 . 2009-06-24 02:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-22 01:57 . 2005-01-20 23:18 -------- d-----w- c:\program files\Java
2009-10-21 14:06 . 2007-05-25 00:51 -------- d-----w- c:\program files\McAfee
2009-10-19 23:39 . 2009-06-25 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-19 23:36 . 2005-10-31 03:44 -------- d-----w- c:\program files\Hewlett-Packard
2009-10-19 23:30 . 2007-11-02 02:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-18 13:02 . 2005-10-31 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee
2009-10-18 13:01 . 2005-01-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-18 02:29 . 2007-10-09 01:42 -------- d-----w- c:\program files\Yahoo!
2009-09-16 14:22 . 2007-05-25 00:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-05-25 00:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-05-25 00:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-05-25 00:52 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-05-25 00:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 18:54 . 2009-06-25 22:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-06-25 22:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Swag_Bucks
2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Conduit
2009-08-30 19:49 . 2009-08-30 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ieSpell
2009-08-29 07:36 . 2004-08-26 16:12 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 00:44 . 2004-08-26 16:12 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 05:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2005-10-31 04:52 . 2005-10-31 04:52 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.48.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-25 16:24 . 2009-10-25 16:24 16384 c:\windows\Temp\Perflib_Perfdata_c4.dat
+ 2004-08-26 18:07 . 2009-10-25 15:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-08-26 18:07 . 2009-10-24 21:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-25 11:18 . 2009-10-25 15:32 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2004-08-26 18:07 . 2009-10-24 21:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-22 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/17/2007 8:54 PM 17149]
.
Contents of the 'Scheduled Tasks' folder

2009-10-22 c:\windows\Tasks\McAfeeQuickClean.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ezanga.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Search
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: dana.com\psselfserve
Trusted Zone: internet
Trusted Zone: malwarebytes.com\www
Trusted Zone: malwarebytes.org\www
Trusted Zone: malwaresupport.com
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-25 12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1904)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
.
------------------------ Other Running Processes ------------------------
.
c:\sandek124569s\CF17128.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\nvsvc32.exe
C:\Updater.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\sandek124569s\PEV.cfxxe
.
**************************************************************************
.
Completion time: 2009-10-25 12:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-25 16:30
ComboFix2.txt 2009-10-25 01:56

Pre-Run: 104,859,549,696 bytes free
Post-Run: 104,831,954,944 bytes free

- - End Of File - - 017A5C64FAAD14D54DC1F8032E8F2712

#7 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 25 October 2009 - 12:53 PM

Here is the MBAM log: Malwarebytes' Anti-Malware 1.41 Database version: 3030 Windows 5.1.2600 Service Pack 3 10/25/2009 1:39:28 PM mbam-log-2009-10-25 (13-39-27).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 164889 Time elapsed: 1 hour(s), 5 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 22 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2234b15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Ertfor) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Qoobox\Quarantine\C\WINDOWS\system32\fipuyuko.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\hakodame.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\isapeep.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\lobawera.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\mijikive.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\mubafuju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\ruhulimi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\tehepepa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\varupadi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\vilohora.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\vupihaba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000159.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000156.sys (Backdoor.Bot) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000157.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000158.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000160.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000161.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000162.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000163.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000164.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0000285.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

#8 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 25 October 2009 - 01:01 PM

The Kaspersky Online Scanner is unavailable: "The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe." Should I download the version listed above? I didn't want to proceede without your advice.

#9 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 25 October 2009 - 01:03 PM

Here is my new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:03:12 PM, on 10/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Updater.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ezanga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9128 bytes

#10 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 25 October 2009 - 01:34 PM

Welcome back

Hi Again! My computer is running slow, but the Rundll32 error is gone.

I think this will improve.

The Kaspersky Online Scanner is unavailable: Should I download the version listed above? I didn't want to proceede without your advice.

No need to we have a different online scanner to use without any type of paid purchase.


*********
One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

------------------------------------------------------



Go to My Computer->Tools->Folder Options->View tab:
  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to: VirusTotal
  • Posted Image


  • Click the Browse button and search for the following file: C:\Updater.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Your version of Adobe is out of date.

You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.
For more information and links to Adobe updates and downloads click here.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

We need to disable Spybot S&D's "TeaTimer", instructions in previous post.



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
(Unless it is the purchased Pro version not an necessary item at boot up, daily manual updating is requested)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 9.0\Reader\reader_sl.exe
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources.)



Now please reboot your computer to set the registry.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`


Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register Posted Image
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
# Please ignore the offer to buy the program. Click on Export To
Posted Image

* Export the log and save it to your desktop.
* Please post the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


In your next reply post:
File requested scanned
Panda log
new HJT log

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#11 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 28 October 2009 - 06:52 PM

Hi Again and Thanks again for the help. I kept checking for an email from PC Pitstop, saying I had a reply but didn't get one this time. Luckily, I checked the thread at work today and saw your instructions.
Here is my File from Virus Total, I will post others as I do them tonight.
File Updater.exe received on 2009.10.07 11:04:06 (UTC)
Current status: finished

Result: 0/41 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.07 -
AhnLab-V3 5.0.0.2 2009.10.06 -
AntiVir 7.9.1.33 2009.10.07 -
Antiy-AVL 2.0.3.7 2009.10.05 -
Authentium 5.1.2.4 2009.10.07 -
Avast 4.8.1351.0 2009.10.06 -
AVG 8.5.0.420 2009.10.04 -
BitDefender 7.2 2009.10.07 -
CAT-QuickHeal 10.00 2009.10.07 -
ClamAV 0.94.1 2009.10.07 -
Comodo 2526 2009.10.07 -
DrWeb 5.0.0.12182 2009.10.07 -
eSafe 7.0.17.0 2009.10.06 -
eTrust-Vet 35.1.7055 2009.10.07 -
F-Prot 4.5.1.85 2009.10.06 -
F-Secure 8.0.14470.0 2009.10.07 -
Fortinet 3.120.0.0 2009.10.07 -
GData 19 2009.10.07 -
Ikarus T3.1.1.72.0 2009.10.07 -
Jiangmin 11.0.800 2009.10.07 -
K7AntiVirus 7.10.863 2009.10.06 -
Kaspersky 7.0.0.125 2009.10.07 -
McAfee 5763 2009.10.06 -
McAfee+Artemis 5763 2009.10.06 -
McAfee-GW-Edition 6.8.5 2009.10.07 -
Microsoft 1.5101 2009.10.07 -
NOD32 4486 2009.10.07 -
Norman 6.01.09 2009.10.06 -
nProtect 2009.1.8.0 2009.10.07 -
Panda 10.0.2.2 2009.10.06 -
PCTools 4.4.2.0 2009.10.07 -
Prevx 3.0 2009.10.07 -
Rising 21.49.22.00 2009.09.30 -
Sophos 4.45.0 2009.10.07 -
Sunbelt 3.2.1858.2 2009.10.07 -
Symantec 1.4.4.12 2009.10.07 -
TheHacker 6.5.0.2.032 2009.10.06 -
TrendMicro 8.950.0.1094 2009.10.07 -
VBA32 3.12.10.11 2009.10.07 -
ViRobot 2009.10.7.1974 2009.10.07 -
VirusBuster 4.6.5.0 2009.10.06 -
Additional information
File size: 212992 bytes
MD5 : 50d1955bca8825da78fc00f62fbb2b1d
SHA1 : fed45a6f55043a80df063122ad683aa2dfb13066
SHA256: 61e45b3b7b74f327c918a6834a9b535b4f00d0dd2df0f2b04f82b07bf197c42f
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x16AE8
timedatestamp.....: 0x40E48014 (Thu Jul 1 23:20:20 2004)
machinetype.......: 0x14C (Intel I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1883A 0x19000 6.29 3fa575f95a67d11c40bdb9f71bd588d1
.rdata 0x1A000 0x802C 0x9000 4.72 51ee4690f6f516855a2f7c0541b2ce98
.data 0x23000 0x5C0 0x1000 1.90 fdd1dd8c066fff2be9066219365945aa
.rsrc 0x24000 0xF6E0 0x10000 4.81 6a1d022d51e9cf609791f096e89244ee

( 0 imports )


( 0 exports )

TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexp...8fc00f62fbb2b1d
ssdeep: 3072:KL4FqD1ceiQUOhNSenyPWaXj8h+tbOcjc:VgD1czQ/oWaXQh+tbO
PEiD : -
CWSandbox: http://research.sunb...8fc00f62fbb2b1d
RDS : NSRL Reference Data Set

#12 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 28 October 2009 - 09:52 PM

I kept checking for an email from PC Pitstop, saying I had a reply but didn't get one this time.

Check the options button at the top of the page, make sure it's set to immediate notification.

So far the logs are returning in good shape.

Edited by Juliet, 28 October 2009 - 09:52 PM.

Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#13 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 29 October 2009 - 05:17 AM

Good Morning! Here is my Panda Log: ;*********************************************************************************************************************************************************************************** ANALYSIS: 2009-10-29 06:16:03 PROTECTIONS: 1 MALWARE: 18 SUSPECTS: 0 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== McAfee VirusScan Yes Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@trafficmp[2].txt 00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@247realmedia[2].txt 00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@tribalfusion[1].txt 00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@com[1].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@ad.yieldmanager[2].txt 00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@serving-sys[2].txt 00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@bs.serving-sys[1].txt 00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@server.iad.liveperson[1].txt 00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@ads.pointroll[2].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@overture[1].txt 00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@realmedia[1].txt 00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@questionmarket[2].txt 00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@target[1].txt 00213030 application/regclean32 HackTools No 0 Yes No hkey_current_user\software\registry cleaner 00213030 application/regclean32 HackTools No 0 Yes No c:\documents and settings\owner\application data\registry cleaner 00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@atwola[1].txt 00966839 Spyware/Virtumonde Spyware No 1 Yes No c:\program files\viewpoint\viewpoint experience technology\newcomponents\swfview.dll 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp2\a0000170.sys 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp3\a0000292.sys 03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp3\a0000385.exe 03074964 Trj/CI.A Virus/Trojan No 0 No No c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp2\a0000140.exe[32788r22fwjfw\exereg.exe] 03074964 Trj/CI.A Virus/Trojan No 0 No No c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp3\a0000259.exe[32788r22fwjfw\exereg.exe] 03074964 Trj/CI.A Virus/Trojan No 0 No No c:\documents and settings\owner\desktop\sandek1.exe[32788r22fwjfw\exereg.exe] ;=================================================================================================================================================================================== SUSPECTS Sent Location ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description ;=================================================================================================================================================================================== ;===================================================================================================================================================================================

#14 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 29 October 2009 - 05:22 AM

And Finally, my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:01 AM, on 10/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Updater.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ezanga.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral....bs/pmupd806.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,26/mcgdmgr.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9212 bytes

#15 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 29 October 2009 - 06:51 AM

Welcome back


That scan actually came back in good shape.


*****

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)


Reboot.


From what I see we're ready for closing and preventive tips?
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#16 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 29 October 2009 - 05:15 PM

Hi Juliete! I am so happy that we are almost done with this. You have helped me more than I can say not to mention the money I saved on being able to do this instead of taking my PC to someone to work on. I remover the last 2 items as you suggested and am ready to start the preventative tips. I would like to cancel my McAfee subscription and go with free programs if you think that would be wise, since McAfee failed to catch this and reported nothing afterwards, when I perfomed scans. I am open to your suggestions. Thanks Again, Kathy :clap:

#17 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 29 October 2009 - 06:36 PM

Welcome back Kathy, glad we could help.


An antivirus can't do it all. Thats why we suggest a layered approach to secure a computer.

I'll list the free choices and you can make a decision what to do.


Let's uninstall Combofix first.

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

Go to Start > Run > copy and paste the full text path in the run box

Start > Run & typing in ComboFix /Uninstall

Note the space between the x and the /u, it needs to be there.

Let me know if you receive any error messages.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I can give you links to free Antivirus and Firewall programs which are used by a very many.
What you'll probably have to do is experiment some what to find one that runs well on your machine.
For antivirus, you might wanna try out the freeware Antivirus -

Avira

Here is the support and home page.
http://www.free-av.c...tion/index.html

Avast!
How to Install, Configure, and Use Avast Antivirus

AVG Free ,
http://free.grisoft....wnloads?prd=aff
This is a very useful read:
http://grandstreamdr...-version-8.html

Never install more than one antivirus scanner or firewall on your system




Your good to go, good job!


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet...owcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsuppo...-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#18 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 30 October 2009 - 07:51 PM

This is great info, Juliet. Thanks again. I will work through these steps and check out your recommendations this weekend and keep you posted. Your help is greatly appreciated as is PC Pitstop! :tup:

#19 Juliet

Juliet

    Advanced Member

  • Trusted Malware Techs
  • 22,085 posts
  • Gender:Female


Posted 31 October 2009 - 07:17 AM

Glad we could help :sparkle:
Please do not PM me for HJT help, we all benefit from posting on the open board.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings..
MS - MVP Consumer Security 2009 - 2013

#20 sandek1

sandek1

    Member

  • Members
  • 14 posts

Posted 31 October 2009 - 02:47 PM

Glad we could help :sparkle:

Hi Again,
I went to uninstall ComboFix and it ran a scan. Is that what it should do? No error messages occured.
Kathy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users