Jump to content
Sign in to follow this  
sandek1

rundll32.exe error need help please (Resolved)

Recommended Posts

The error I get on start up is:

"The application or DLL c:DOCUME~1\owner\ntuser.dll is not a valid Windows image. Please check this against your instillation diskett."

If I clikc "OK" I am able to use the Internet and check emails etc.

This ploblem started last weekend, when I picked up a virus.

 

I have an eMachines computer, with McAfee security suite. I picked up a virus last weekend, surfing the Internet. I seem to have removed most of it with Malawarebytes, McA, and Spybot have all been updated and ran with averything removed that they find. I also have Windows XP with SP3, Home Ed. ver. 2002.

Below is my logs:

 

info.txt logfile of random's system information tool 1.06 2009-10-23 12:48:14

 

======Uninstall list======

 

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19822917-61F6-4221-B1D0-1C3B8A06BE60}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C9F6AF4-E9D9-47FE-BE4B-E637C2FCB410}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{98181885-5B28-4280-9B56-452FF877D5B9}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A0B5225-B59B-4D72-B3FE-71AAA693A8E2}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A9BB081B-C020-4D02-A763-D32204D2563D}\setup.exe" -l0x9 /remove

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Ad-aware 6 Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Reader 7.0.5-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}

Adobe Shockwave Player 11.5-->C:\WINDOWS\system32\Adobe\uninstaller.exe

Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log

AI RoboForm (All Users)-->"C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"

ArcSoft Camera Suite 1.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD13BFB0-FDD2-4AFA-A8AF-9F4A950D56B7}\setup.exe" -l0x9

ArcSoft PhotoImpression 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\Setup.exe" -l0x9

Bicycle Casino-->"C:\Program Files\Microsoft Games\Bicycle Casino\UNINSTAL.EXE" /runtemp /addremove

CalorieKing.com Diet Diary for PalmOS-->C:\Program Files\CalorieKing.com Diet Diary for PalmOS\Uninst.exe

Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B9B9863A-32FD-4133-ADB7-46244ED77694} /l1033

Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}

Canon iP1800 series User Registration-->C:\Program Files\Canon\IJEREG\iP1800 series\UNINST.EXE

Canon iP1800 series-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP1800_series /L0x0009

Canon MovieEdit Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE286975-ACF1-45B8-9EF7-34E162B2C817}

Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini

Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}

Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9518F764-C54D-47B2-9E73-154B21E79FD2}

Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2C164906-E68F-462A-9010-70DD022223EF}

Canon Utilities Easy-LayoutPrint-->C:\Program Files\Canon\Easy-LayoutPrint\uninst.exe uninst.ini

Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini

Canon Utilities PhotoStitch 3.1-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{EF4C7EB0-D71B-43A3-9552-8053DE4B0401}

Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}

Creative Removable Disk Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57FA4E0F-82C9-417D-87BC-0186D6CB7A44}\setup.exe" -l0x9 /remove

Creative System Information-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}\setup.exe" -l0x9 /remove

Creative ZEN V Series (R2)-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9862E0CB-4727-4FFC-963A-E22A9E9EC10C}\SETUP.EXE" -l0x9 /remove

Digital Media Reader-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{81EED1A1-AE78-4B11-BE47-C6AE9F5E87F1}

EasyGPS-->"C:\Program Files\EasyGPS\unins000.exe"

EPSON CX 4200 4800 Guide-->C:\Program Files\epson\guide\cx4200_4800_e\uninstall.exe

EPSON PhotoCenter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D21553E9-2EC5-4E8C-AB71-07AC07D50BBC}\setup.exe" -l0x9 anything

EPSON Printer Software-->C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R

EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r

Garmin Communicator Plugin-->MsiExec.exe /X{14C9AE19-4254-4280-ACD3-E159231DC2CD}

Garmin Trip and Waypoint Manager v3-->MsiExec.exe /X{5414086B-AE06-4332-8A59-26FF0F630D1B}

GeoBuddy-->"C:\Program Files\GeoBuddy\unins000.exe"

Google Earth-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly

HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall

Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"

Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"

Java 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

MapSource - US Topo v3.02-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD4203ED-7683-435E-B436-C299773A9936}\setup.exe" -l0x9 AddRemove

Masque Slots - IGT and MultiPlay Video Poker-->C:\Program Files\MasqueGames\uninstall.exe "Masque Slots - IGT and MultiPlay Video Poker.ilg"

McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe

McAfee Virtual Technician-->MsiExec.exe /I{49FA793C-785E-47E9-93DF-BD442B0B45D1}

Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"

Microsoft Money 2004 System Pack-->MsiExec.exe /I{8C64E145-54BA-11D6-91B1-00500462BE80}

Microsoft Money 2004-->MsiExec.exe /I{1D643CD7-4DD6-11D7-A4E0-000874180BB3}

Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"

Microsoft Office 2000 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}

Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}

Move Networks Player for Internet Explorer-->"C:\Documents and Settings\Owner\Application Data\Move Networks\ie_bin\unins000.exe"

MSN Money Investment Toolbox-->"C:\Program Files\Microsoft Money 2006\MNYCoreFiles\Setup\uninst.exe" /s:5

MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall

MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}

MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

Napster for Windows Media Player-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF2606C7-63AF-40F4-8919-F2EC654ACC91}\setup.exe" -l0x9

Nero BurnRights-->C:\WINDOWS\UNNeroBurnRights.exe /UNINSTALL

Nero OEM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

NVIDIA Drivers-->C:\WINDOWS\system32\NVUNINST.EXE UninstallGUI

NvMixer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D7A6C517-11F2-419F-B5BB-27772B939698}\setup.exe" -uninstall

OverDrive Media Console-->MsiExec.exe /I{16D9439B-DF3D-43D1-A727-4B335300D07A}

Palm-->MsiExec.exe /X{0030188A-533E-42EE-9837-E044F10E4369}

PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall

QuickTime-->MsiExec.exe /I{08094E03-AFE4-4853-9D31-6D0743DF5328}

RealPlayer Basic-->C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0

Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"

Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"

Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"

SoftV92 Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1\HXFSETUP.EXE -U -IURSLST5K.inf

Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"

Swag_Bucks Toolbar-->C:\PROGRA~1\SWAG_B~1\UNWISE.EXE /U C:\PROGRA~1\SWAG_B~1\INSTALL.LOG

Turbo Lister 2-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}

Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"

Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"

Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"

Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u

VIP Casino-->C:\WINDOWS\system32\UnCasino5.exe VIPCasinoV8

Walmart Digital Photo Manager-->MsiExec.exe /X{24A71701-4BFD-4228-97B3-7D739195EC67}

Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}

Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Player 10 Hotfix - KB895316-->"C:\WINDOWS\$NtUninstallKB895316$\spuninst\spuninst.exe"

Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

ZENcast Organizer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C029DB0E-C59F-417A-90F8-88FD5B2C4AE7}\setup.exe" -l0x9 /remove

 

======Hosts File======

 

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

 

======Security center information======

 

AV: McAfee VirusScan

FW: McAfee Personal Firewall

 

======System event log======

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 7023

Message: The Application Management service terminated with the following error:

The specified module could not be found.

 

 

Record Number: 66440

Source Name: Service Control Manager

Time Written: 20091021214729.000000-240

Event Type: error

User:

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 7023

Message: The Application Management service terminated with the following error:

The specified module could not be found.

 

 

Record Number: 66437

Source Name: Service Control Manager

Time Written: 20091021214729.000000-240

Event Type: error

User:

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 7023

Message: The Application Management service terminated with the following error:

The specified module could not be found.

 

 

Record Number: 66434

Source Name: Service Control Manager

Time Written: 20091021214729.000000-240

Event Type: error

User:

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 7023

Message: The Application Management service terminated with the following error:

The specified module could not be found.

 

 

Record Number: 66431

Source Name: Service Control Manager

Time Written: 20091021214729.000000-240

Event Type: error

User:

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 7023

Message: The Application Management service terminated with the following error:

The specified module could not be found.

 

 

Record Number: 66428

Source Name: Service Control Manager

Time Written: 20091021214729.000000-240

Event Type: error

User:

 

=====Application event log=====

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 11706

Message: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.

 

Record Number: 5509

Source Name: MsiInstaller

Time Written: 20080323162446.000000-240

Event Type: error

User: YOUR-3F22C8F6FB\Owner

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 1001

Message: Detection of product '{00010409-78E1-11D2-B60F-006097C998E7}', feature 'TCWP5Files' failed during request for component '{CC29EC7F-7BC2-11D1-A921-00A0C91E2AA2}'

 

Record Number: 5508

Source Name: MsiInstaller

Time Written: 20080323162421.000000-240

Event Type: warning

User: YOUR-3F22C8F6FB\Owner

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 1002

Message: Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

 

Record Number: 5470

Source Name: Application Hang

Time Written: 20080221223752.000000-300

Event Type: error

User:

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 1000

Message: Faulting application drwtsn32.exe, version 5.1.2600.0, faulting module dbghelp.dll, version 5.1.2600.2180, fault address 0x0001295d.

 

Record Number: 5469

Source Name: Application Error

Time Written: 20080221223704.000000-300

Event Type: error

User:

 

Computer Name: YOUR-3F22C8F6FB

Event Code: 1000

Message: Faulting application iexplore.exe, version 7.0.6000.16608, faulting module unknown, version 0.0.0.0, fault address 0x60b47930.

 

Record Number: 5468

Source Name: Application Error

Time Written: 20080221223658.000000-300

Event Type: error

User:

 

======Environment variables======

 

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD

"PROCESSOR_REVISION"=0a00

"NUMBER_OF_PROCESSORS"=1

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip

"QTJAVA"=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip

 

-----------------EOF-----------------

 

Logfile of random's system information tool 1.06 (written by random/random)

Run by Owner at 2009-10-23 12:47:18

Microsoft Windows XP Home Edition Service Pack 3

System drive C: has 100 GB (90%) free of 111 GB

Total RAM: 447 MB (24% free)

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:48:09 PM, on 10/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Updater.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Owner\Desktop\RSIT.exe

C:\Program Files\trend micro\Owner.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ezanga.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [Jzohucefuhel] rundll32.exe "C:\WINDOWS\arasozid.dll",Startup

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Owner\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe

O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O18 - Filter hijack: text/html - {6972fcb5-d682-4b8a-bf92-263bae751780} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: nisuyiko.dll c:\windows\system32\zilolowa.dll

O21 - SSODL: tiyiwohov - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

 

--

End of file - 10993 bytes

 

======Scheduled tasks folder======

 

C:\WINDOWS\tasks\McAfeeQuickClean.job

C:\WINDOWS\tasks\McDefragTask.job

C:\WINDOWS\tasks\McQcTask.job

 

======Registry dump======

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]

scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-09-16 62784]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A2234B15-23F2-42AD-F4E4-00AAC39C0004}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-21 41760]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-21 73728]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll [2008-07-05 5751624]

{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - Swag Bucks Toolbar - C:\Program Files\Swag_Bucks\tbSwag.dll [2009-08-30 2259480]

{CCC7A320-B3CA-4199-B1A6-9F516DD69829}

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

""= []

"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2007-04-27 282624]

"iRiver Updater"=\Updater.exe [2004-07-01 212992]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2004-07-12 4112384]

"SunKistEM"=C:\Program Files\Digital Media Reader\shwiconem.exe [2004-10-18 135168]

"RemoteControl"=C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2003-10-31 32768]

"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-13 212992]

"nwiz"=nwiz.exe /install []

"NVMixerTray"=C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe [2004-06-04 131072]

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2004-07-12 81920]

"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

"EPSON Stylus CX4800 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE [2005-02-01 98304]

"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-07 15872]

"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-09-17 645328]

"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2006-10-16 1197648]

"Jzohucefuhel"=C:\WINDOWS\arasozid.dll [2008-04-13 163328]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-21 149280]

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SpybotSnD"=C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 5365592]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

"calc"=C:\DOCUME~1\Owner\ntuser.dll,_IWMPEvents@0 []

"Yjafosi8kdf98winmdkmnkmfnwe"=C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe []

"Login Software 2009"=C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe []

"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

 

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

HOTSYNCSHORTCUTNAME.lnk - C:\Program Files\Palm\Hotsync.exe

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

 

C:\Documents and Settings\Owner\Start Menu\Programs\Startup

HotSync Manager.LNK - C:\Program Files\Palm\Hotsync.exe

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLS"="nisuyiko.dll c:\windows\system32\zilolowa.dll"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

tiyiwohov - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll []

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]

gahurihor - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll []

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"notification packages"=scecli

velijiko.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"DisableTaskMgr"=0

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

"LockTaskbar"=1

"NoBandCustomize"=0

"NoMovingBands"=0

"NoCloseDragDropBands"=0

"NoActiveDesktop"=0

"NoActiveDesktopChanges"=0

"NoSetActiveDesktop"=0

"NoFolderOptions"=0

 

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

"NoActiveDesktopChanges"=

"NoSetActiveDesktop"=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"

"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\Program Files\NETGEAR\WG111T\wlan111t.exe"="C:\Program Files\NETGEAR\WG111T\wlan111t.exe:*:Enabled:NETGEAR Smart Wizard"

"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe"="C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent"

"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"

"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"

"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"

"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL"

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]

shell\AutoRun\command - J:\LaunchU3.exe -a

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]

shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

 

 

======File associations======

 

.reg - open - regedit.exe "%1" %*

.scr - open - "%1" %*

 

======List of files/folders created in the last 1 months======

 

2009-10-23 12:47:20 ----D---- C:\Program Files\trend micro

2009-10-23 12:47:18 ----D---- C:\rsit

2009-10-21 21:58:06 ----A---- C:\WINDOWS\system32\javaws.exe

2009-10-21 21:58:05 ----A---- C:\WINDOWS\system32\javaw.exe

2009-10-21 21:58:05 ----A---- C:\WINDOWS\system32\java.exe

2009-10-20 21:26:46 ----HD---- C:\$AVG

2009-10-20 21:24:17 ----D---- C:\Program Files\AVG

2009-10-20 21:24:08 ----D---- C:\Documents and Settings\All Users\Application Data\avg9

2009-10-19 18:15:25 ----A---- C:\WINDOWS\isRS-000.tmp

2009-10-18 08:33:46 ----A---- C:\WINDOWS\PCTBDCore.dll

2009-10-18 08:30:44 ----D---- C:\Program Files\Common Files\PC Tools

2009-10-17 17:06:48 ----A---- C:\bqef

Share this post


Link to post
Share on other sites

Hi and welcome

 

 

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

 

We need to disable Spybot S&D's "TeaTimer"

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

 

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done.

  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"

    Posted Image

  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:

    Posted Image

  • Close/Exit Spybot Search and Destroy

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

 

O4 - HKLM\..\Run: [Jzohucefuhel] rundll32.exe "C:\WINDOWS\arasozid.dll",Startup

O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Owner\ntuser.dll,_IWMPEvents@0

O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe

O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe

 

O18 - Filter hijack: text/html - {6972fcb5-d682-4b8a-bf92-263bae751780} - C:\WINDOWS\batmeter16.dll

O20 - AppInit_DLLs: nisuyiko.dll c:\windows\system32\zilolowa.dll

O21 - SSODL: tiyiwohov - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)

O22 - SharedTaskScheduler: gahurihor - {22a62459-3c9b-4559-a08c-7384e59dc942} - c:\windows\system32\zilolowa.dll (file missing)

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

OTM

Download OTM by OldTimer Here & save it to your desktop.

  • Double click on OTM.exe to run it
  • Copy & paste the contents inside the Code box below beginning with :Files into Paste Instructions for Items to be Moved
Note: Do not type it out to minimize the risk of typo error

:Files
C:\bqefoh.exe
c:\windows\system32\zilolowa.dll
C:\WINDOWS\arasozid.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe
:reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Jzohucefuhel"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"=-
"Yjafosi8kdf98winmdkmnkmfnwe"=-
"Login Software 2009"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"tiyiwohov"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
"gahurihor"=- 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="" 
:Commands
[purity]
[emptytemp]
[Reboot]
  • Click on MoveIt!
  • When done, click on Exit
Note: If a file or folder can't be moved immediately, you may be asked to restart your computer. Choose Yes.

A log will be produced at C:\_OTM\MovedFiles\date_time.log, where date_time are numbers. Post this log in your next reply.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

NEXT**

 

Download Combofix from any of the links below but rename it to sandek1.exe before saving it to your desktop.

 

Link 1

Link 2

 

 

Posted Image

 

 

Posted Image

 

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".
--------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

MCAFEE ANTIVIRUS

Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.

  • Right-click it -> chose "Exit."
  • A popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
MCAFEE SECURITY CENTER 7.1

Please navigate to the system tray and double-click the taskbar icon to open Security Center.

  • Click Advanced Menu (bottom mid-left).
  • Click Configure (left).
  • Click Computer & Files (top left).
  • VirusScan can be disabled in the right-hand module and set when it should resume or you can do that manually later on.
  • Do the same via Internet & Network for Firewall Plus.
(Click on this link to see a list of programs that should be disabled.)

http://www.bleepingcomputer.com/forums/topic114351.html

 

Please leave the flash drive plugged in while completing the following.

 

Double click on Combo-Fix.exe & follow the prompts.

 

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

 

Posted Image

 

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

 

 

 

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

 

 

Posted Image

 

 

No Validation is Required.

 

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

 

 

 

** Please Note:

At times ComboFix may appear to stall, please be patient.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.
Please only run the tool once, ty.

 

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.

Don't select to run the Recovery Console as we don't need it.

By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

 

 

 

 

In your next reply post:

OTM log

ComboFix.txt

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Hi Juliet and thank you so much for your help! Here is my OTM log and I will post ComboFix seperately.

 

All processes killed

========== FILES ==========

File/Folder C:\bqefoh.exe not found.

File/Folder c:\windows\system32\zilolowa.dll not found.

DllUnregisterServer procedure not found in C:\WINDOWS\arasozid.dll

C:\WINDOWS\arasozid.dll NOT unregistered.

C:\WINDOWS\arasozid.dll moved successfully.

File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe not found.

File/Folder C:\DOCUME~1\Owner\LOCALS~1\Temp\shrwvkrj.exe not found.

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Jzohucefuhel deleted successfully.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\calc not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Yjafosi8kdf98winmdkmnkmfnwe not found.

Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Login Software 2009 not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\tiyiwohov not found.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler\\gahurihor not found.

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!

========== COMMANDS ==========

 

[EMPTYTEMP]

 

User: All Users

 

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32768 bytes

 

User: LocalService

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.

->Temp folder emptied: 66252 bytes

->Temporary Internet Files folder emptied: 422767 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 1319284 bytes

 

User: Owner

->Temp folder emptied: 3810266 bytes

->Temporary Internet Files folder emptied: 110028526 bytes

->Java cache emptied: 199717049 bytes

 

%systemdrive% .tmp files removed: 0 bytes

C:\WINDOWS\msdownld.tmp folder deleted successfully.

%systemroot% .tmp files removed: 713329 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

File delete failed. C:\WINDOWS\temp\mcmsc_adz3TAzemKgjpTY scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\mcmsc_XCk0XiASHe4CBSF scheduled to be deleted on reboot.

Windows Temp folder emptied: 16368174 bytes

RecycleBin emptied: 714936 bytes

 

Total Files Cleaned = 317.76 mb

 

 

OTM by OldTimer - Version 3.0.0.6 log created on 10242009_205914

 

Files moved on Reboot...

File C:\WINDOWS\temp\mcmsc_adz3TAzemKgjpTY not found!

File C:\WINDOWS\temp\mcmsc_XCk0XiASHe4CBSF not found!

 

Registry entries deleted on Reboot...

Share this post


Link to post
Share on other sites

My ComboFix log is below. I did renamed it to sandek1.ext but did not get the save file window to rename it as Combo-Fix. If this will create inacurrate results please let me know how to do that step again. Thanks, Kathy

ComboFix 09-10-24.01 - Owner 10/24/2009 21:39.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.63 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\sandek1.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\Owner\My Documents\ZbThumbnail.info

c:\documents and settings\Owner\ntuser.dll

c:\program files\Shared

c:\recycler\S-1-5-21-1658258789-744366993-357489556-1003

c:\windows\Downloaded Program Files\Temp

c:\windows\Install.txt

c:\windows\system32\hakodame.dll

c:\windows\system32\Install.txt

c:\windows\system32\isapeep.sys

c:\windows\system32\lobawera.dll

c:\windows\system32\mijikive.dll

c:\windows\system32\mubafuju.dll

c:\windows\system32\ruhulimi.dll

c:\windows\system32\tehepepa.dll

c:\windows\system32\varupadi.dll

c:\windows\system32\vilohora.dll

c:\windows\system32\vupihaba.dll

D:\Autorun.inf

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_6TO4

-------\Service_6to4

-------\Legacy_isapeep

-------\Service_isapeep

 

 

((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))

.

 

2009-10-25 00:59 . 2009-10-25 00:59 -------- d-----w- C:\_OTM

2009-10-23 16:48 . 2009-10-23 16:48 -------- d-----w- C:\PCPitLogs_HJT

2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- c:\program files\trend micro

2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- C:\rsit

2009-10-21 01:26 . 2009-10-21 01:26 -------- d-----w- C:\$AVG

2009-10-21 01:24 . 2009-10-21 01:24 -------- d-----w- c:\program files\AVG

2009-10-21 01:24 . 2009-10-21 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-10-18 12:54 . 2009-10-18 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2009-10-18 12:33 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll

2009-10-18 12:30 . 2009-10-19 23:29 -------- d-----w- c:\program files\Common Files\PC Tools

2009-10-17 21:11 . 2009-10-24 12:09 0 ----a-w- c:\windows\Evamuram.bin

2009-10-17 21:11 . 2009-10-24 23:43 120 ----a-w- c:\windows\Mladuwenuqav.dat

2009-10-17 21:11 . 2009-10-17 21:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{E207B15C-B565-4B5E-A5CB-227065006227}

2009-10-01 00:55 . 2009-10-25 01:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-23 01:41 . 2006-08-31 11:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-23 01:32 . 2006-08-31 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-22 01:57 . 2009-06-24 02:13 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-22 01:57 . 2005-01-20 23:18 -------- d-----w- c:\program files\Java

2009-10-21 14:06 . 2007-05-25 00:51 -------- d-----w- c:\program files\McAfee

2009-10-19 23:39 . 2009-06-25 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-19 23:36 . 2005-10-31 03:44 -------- d-----w- c:\program files\Hewlett-Packard

2009-10-19 23:30 . 2007-11-02 02:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-18 13:02 . 2005-10-31 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee

2009-10-18 13:01 . 2005-01-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-18 02:29 . 2007-10-09 01:42 -------- d-----w- c:\program files\Yahoo!

2009-09-16 14:22 . 2007-05-25 00:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-16 14:22 . 2007-05-25 00:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-16 14:22 . 2007-05-25 00:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-16 14:22 . 2007-05-25 00:52 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-16 14:22 . 2007-05-25 00:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 18:54 . 2009-06-25 22:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-06-25 22:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Swag_Bucks

2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Conduit

2009-08-30 19:49 . 2009-08-30 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ieSpell

2009-08-29 07:36 . 2004-08-26 16:12 832512 ----a-w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 00:44 . 2004-08-26 16:12 2189184 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 05:59 2066048 ----a-w- c:\windows\system32\ntkrnlpa.exe

2005-10-31 04:52 . 2005-10-31 04:52 0 -csha-w- c:\windows\SMINST\HPCD.sys

2009-07-17 21:13 . 2009-07-17 21:13 24576 --sha-w- c:\windows\system32\fipuyuko.exe

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

 

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

 

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

 

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"iRiver Updater"="\Updater.exe" [2004-07-01 212992]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-22 149280]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

 

c:\documents and settings\Owner\Start Menu\Programs\Startup\

HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

 

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/17/2007 8:54 PM 17149]

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

BtwSrv

.

Contents of the 'Scheduled Tasks' folder

 

2009-10-22 c:\windows\Tasks\McAfeeQuickClean.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

 

2009-09-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

 

2009-07-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ezanga.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Search

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: dana.com\psselfserve

Trusted Zone: internet

Trusted Zone: malwarebytes.com\www

Trusted Zone: malwarebytes.org\www

Trusted Zone: malwaresupport.com

Trusted Zone: mcafee.com

.

- - - - ORPHANS REMOVED - - - -

 

WebBrowser-{472734EA-242A-422B-ADF8-83D1E48CC825} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

AddRemove-CalorieKing.com Diet Diary for PalmOS - c:\program files\CalorieKing.com

 

 

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-24 21:48

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(732)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\sandek1\CF8987.exe

C:\Updater.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

c:\sandek1\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-25 21:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-25 01:56

 

Pre-Run: 105,027,121,152 bytes free

Post-Run: 104,886,927,360 bytes free

 

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

 

- - End Of File - - C785BE5F19D633324B9999C8F75ACDA5

Share this post


Link to post
Share on other sites

Welcome back

 

I did renamed it to sandek1.ext but did not get the save file window to rename it as Combo-Fix. If this will create inacurrate results please let me know how to do that step again. Thanks, Kathy

I posted the pictures as a guide and what you renamed to worked so theres no problem.

 

How's the computer performing now?

 

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.

 

 

******

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.

This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

 

Click on this link Here to see a list of programs that should be disabled.

The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::

c:\windows\Evamuram.bin

c:\windows\Mladuwenuqav.dat

c:\windows\system32\fipuyuko.exe

DRIVER::

BtwSrv

NetSvc::

BtwSrv

Posted Image

 

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

 

 

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

 

If there are internet issues afterward:

 

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

 

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

 

NEXT**

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

 

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner

    page.

  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.

    In the scan settings make sure the following are selected:

    • Detect malicious programs of the following categories:

      Viruses, Worms, Trojan Horses, Rootkits

      Spyware, Adware, Dialers and other potentially dangerous programs

    • Scan compound files (doesn't apply to the File scan area):

      Archives

      Mail databases

      By default the above items should already be checked.

    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

     

    Select My Computer

  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

 

 

 

In your next reply post:

ComboFix.txt

Malwarebytes' Anti-Malware log

Kaspersky log

New HJT log

 

You may need several replies to post the requested logs, otherwise they might get cut off.

Share this post


Link to post
Share on other sites

Hi Again! My computer is running slow, but the Rundll32 error is gone. Below is my ComboFix log and I will add the other logs in seperate posts.

When ComboFix was doind a re-start, I did get this error message: Reg 2 exe, Error: file damaged.

Here is the log:

 

ComboFix 09-10-24.06 - Owner 10/25/2009 12:16.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.242 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\sandek1.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

 

FILE ::

"c:\windows\Evamuram.bin"

"c:\windows\Mladuwenuqav.dat"

"c:\windows\system32\fipuyuko.exe"

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\Evamuram.bin

c:\windows\Mladuwenuqav.dat

c:\windows\system32\fipuyuko.exe

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_BTWSRV

 

 

((((((((((((((((((((((((( Files Created from 2009-09-25 to 2009-10-25 )))))))))))))))))))))))))))))))

.

 

2009-10-25 16:12 . 2009-10-25 16:13 -------- d-----w- C:\sandek1

2009-10-25 00:59 . 2009-10-25 00:59 -------- d-----w- C:\_OTM

2009-10-23 16:48 . 2009-10-23 16:48 -------- d-----w- C:\PCPitLogs_HJT

2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- c:\program files\trend micro

2009-10-23 16:47 . 2009-10-23 16:48 -------- d-----w- C:\rsit

2009-10-21 01:26 . 2009-10-21 01:26 -------- d-----w- C:\$AVG

2009-10-21 01:24 . 2009-10-21 01:24 -------- d-----w- c:\program files\AVG

2009-10-21 01:24 . 2009-10-21 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2009-10-18 12:54 . 2009-10-18 12:54 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert

2009-10-18 12:33 . 2009-10-08 15:31 1636304 ----a-w- c:\windows\PCTBDCore.dll

2009-10-18 12:30 . 2009-10-19 23:29 -------- d-----w- c:\program files\Common Files\PC Tools

2009-10-17 21:11 . 2009-10-17 21:11 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{E207B15C-B565-4B5E-A5CB-227065006227}

2009-10-01 00:55 . 2009-10-25 01:28 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-23 01:41 . 2006-08-31 11:21 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-10-23 01:32 . 2006-08-31 11:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-10-22 01:57 . 2009-06-24 02:13 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-22 01:57 . 2005-01-20 23:18 -------- d-----w- c:\program files\Java

2009-10-21 14:06 . 2007-05-25 00:51 -------- d-----w- c:\program files\McAfee

2009-10-19 23:39 . 2009-06-25 22:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-19 23:36 . 2005-10-31 03:44 -------- d-----w- c:\program files\Hewlett-Packard

2009-10-19 23:30 . 2007-11-02 02:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-18 13:02 . 2005-10-31 03:36 -------- d-----w- c:\documents and settings\Owner\Application Data\McAfee

2009-10-18 13:01 . 2005-01-20 23:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2009-10-18 02:29 . 2007-10-09 01:42 -------- d-----w- c:\program files\Yahoo!

2009-09-16 14:22 . 2007-05-25 00:52 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys

2009-09-16 14:22 . 2007-05-25 00:52 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-09-16 14:22 . 2007-05-25 00:52 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-09-16 14:22 . 2007-05-25 00:52 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-09-16 14:22 . 2007-05-25 00:52 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

2009-09-11 14:18 . 2004-08-26 16:12 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 18:54 . 2009-06-25 22:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 18:53 . 2009-06-25 22:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-04 21:03 . 2004-08-26 16:12 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Swag_Bucks

2009-09-02 02:40 . 2009-09-02 02:40 -------- d-----w- c:\program files\Conduit

2009-08-30 19:49 . 2009-08-30 19:49 -------- d-----w- c:\documents and settings\Owner\Application Data\ieSpell

2009-08-29 07:36 . 2004-08-26 16:12 832512 ------w- c:\windows\system32\wininet.dll

2009-08-29 07:36 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-08-29 07:36 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll

2009-08-26 08:00 . 2004-08-26 16:12 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-05 09:01 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 00:44 . 2004-08-26 16:12 2189184 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2004-08-04 05:59 2066048 ------w- c:\windows\system32\ntkrnlpa.exe

2005-10-31 04:52 . 2005-10-31 04:52 0 -csha-w- c:\windows\SMINST\HPCD.sys

.

 

((((((((((((((((((((((((((((( SnapShot@2009-10-25_01.48.29 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-10-25 16:24 . 2009-10-25 16:24 16384 c:\windows\Temp\Perflib_Perfdata_c4.dat

+ 2004-08-26 18:07 . 2009-10-25 15:32 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2004-08-26 18:07 . 2009-10-24 21:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-10-25 11:18 . 2009-10-25 15:32 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2004-08-26 18:07 . 2009-10-24 21:27 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

 

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

 

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{8BDEA9D6-6F62-45EB-8EE9-8A81AF0D2F94}"= "c:\program files\Swag_Bucks\tbSwag.dll" [2009-08-30 2259480]

 

[HKEY_CLASSES_ROOT\clsid\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]

"iRiver Updater"="\Updater.exe" [2004-07-01 212992]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]

"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-04 131072]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-12 81920]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"EPSON Stylus CX4800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE" [2005-02-01 98304]

"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-22 149280]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-07-12 843776]

 

c:\documents and settings\Owner\Start Menu\Programs\Startup\

HotSync Manager.LNK - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

 

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HOTSYNCSHORTCUTNAME.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

 

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/17/2007 8:54 PM 17149]

.

Contents of the 'Scheduled Tasks' folder

 

2009-10-22 c:\windows\Tasks\McAfeeQuickClean.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

 

2009-09-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

 

2009-07-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-05-25 16:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ezanga.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Search

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM

IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: dana.com\psselfserve

Trusted Zone: internet

Trusted Zone: malwarebytes.com\www

Trusted Zone: malwarebytes.org\www

Trusted Zone: malwaresupport.com

Trusted Zone: mcafee.com

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-25 12:24

Windows 5.1.2600 Service Pack 3 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'explorer.exe'(1904)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

.

------------------------ Other Running Processes ------------------------

.

c:\sandek124569s\CF17128.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\windows\system32\nvsvc32.exe

C:\Updater.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\windows\system32\wscntfy.exe

c:\sandek124569s\PEV.cfxxe

.

**************************************************************************

.

Completion time: 2009-10-25 12:30 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-25 16:30

ComboFix2.txt 2009-10-25 01:56

 

Pre-Run: 104,859,549,696 bytes free

Post-Run: 104,831,954,944 bytes free

 

- - End Of File - - 017A5C64FAAD14D54DC1F8032E8F2712

Share this post


Link to post
Share on other sites

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.41

Database version: 3030

Windows 5.1.2600 Service Pack 3

 

10/25/2009 1:39:28 PM

mbam-log-2009-10-25 (13-39-27).txt

 

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 164889

Time elapsed: 1 hour(s), 5 minute(s), 19 second(s)

 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 22

 

Memory Processes Infected:

(No malicious items detected)

 

Memory Modules Infected:

(No malicious items detected)

 

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2234b15-23f2-42ad-f4e4-00aac39c0004} (Trojan.Ertfor) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_FASTNETSRV (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.

 

Registry Data Items Infected:

(No malicious items detected)

 

Folders Infected:

(No malicious items detected)

 

Files Infected:

C:\Qoobox\Quarantine\C\WINDOWS\system32\fipuyuko.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\hakodame.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\isapeep.sys.vir (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\lobawera.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mijikive.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\mubafuju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\ruhulimi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\tehepepa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\varupadi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vilohora.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Qoobox\Quarantine\C\WINDOWS\system32\vupihaba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000159.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000156.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000157.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000158.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000160.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000161.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000162.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000163.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP2\A0000164.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP3\A0000285.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

The Kaspersky Online Scanner is unavailable:

 

"The current Kaspersky Online Scanner is unavailable - we apologize for the inconvenience. While you are waiting for the improved Online Scanner, why not try a free trial of Kaspersky Internet Security 2010, which has everything you need to keep your computer safe."

 

Should I download the version listed above? I didn't want to proceede without your advice.

Share this post


Link to post
Share on other sites

Here is my new HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:03:12 PM, on 10/25/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Updater.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ezanga.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

 

--

End of file - 9128 bytes

Share this post


Link to post
Share on other sites

Welcome back

 

Hi Again! My computer is running slow, but the Rundll32 error is gone.

I think this will improve.

 

The Kaspersky Online Scanner is unavailable: Should I download the version listed above? I didn't want to proceede without your advice.

No need to we have a different online scanner to use without any type of paid purchase.

 

 

*********

One or more of the identified infections is a backdoor trojan.

 

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

 

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

 

Please refer to Microsoft's Online Safety article for tips on creating a strong password.

 

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

 

------------------------------------------------------

 

 

 

Go to My Computer->Tools->Folder Options->View tab:

  • Under the Hidden files and folders heading:
  • Select - Show hidden files and folders.
  • Uncheck- Hide protected operating system files (recommended) option.
  • Also, make sure there is no checkmark beside Hide file extensions for known file types.
  • Click OK. (Remember to Hide files and folders once done)
Please go to: VirusTotal
  • Posted Image

     

     

  • Click the Browse button and search for the following file: C:\Updater.exe
  • Click Open
  • Then click Send File
  • Please be patient while the file is scanned.
  • Once the scan results appear, please provide them in your next reply.
If it says already scanned -- click "reanalyze now"

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

Your version of Adobe is out of date.

 

You can obtain the latest version of Adobe Reader from here, and the latest version of Flash Player from here.

For more information and links to Adobe updates and downloads click here.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

We need to disable Spybot S&D's "TeaTimer", instructions in previous post.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

 

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

(Description: Nvidia system tray applet. Not necessary. Removing this entry will free up a small amount of system resources.)

 

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

(Unless it is the purchased Pro version not an necessary item at boot up, daily manual updating is requested)

 

O4 - HKLM\..\Run: [sunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"

(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

 

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 9.0\Reader\reader_sl.exe

(Description: Adobe reader startup - unnecessarily uses system resources.)

 

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources.)

 

 

 

Now please reboot your computer to set the registry.

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

 

Perform an online scan with Panda ActiveScan

* Click on Scan Your PC Now

* A "pop up" window will appear, or a new tab will open.

* Click on Register

* Choose the option you like most, but we recommend the Free Registration.

 

Click on Register Posted Image

# Enter your e-mail address, and create a password.

# Select "I do not want to receive any type of information". (unless you want to receive such information)

# Click on Send

# Confirm registration, and continue by entering your user name and password, then click on Enter

# Select Full Scan, then Click on Scan Now

# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.

# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect

# Please ignore the offer to buy the program. Click on Export To

Posted Image

 

* Export the log and save it to your desktop.

* Please post the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

 

In your next reply post:

File requested scanned

Panda log

new HJT log

Share this post


Link to post
Share on other sites

Hi Again and Thanks again for the help. I kept checking for an email from PC Pitstop, saying I had a reply but didn't get one this time. Luckily, I checked the thread at work today and saw your instructions.

Here is my File from Virus Total, I will post others as I do them tonight.

File Updater.exe received on 2009.10.07 11:04:06 (UTC)

Current status: finished

 

Result: 0/41 (0.00%)

Compact Print results

Antivirus Version Last Update Result

a-squared 4.5.0.41 2009.10.07 -

AhnLab-V3 5.0.0.2 2009.10.06 -

AntiVir 7.9.1.33 2009.10.07 -

Antiy-AVL 2.0.3.7 2009.10.05 -

Authentium 5.1.2.4 2009.10.07 -

Avast 4.8.1351.0 2009.10.06 -

AVG 8.5.0.420 2009.10.04 -

BitDefender 7.2 2009.10.07 -

CAT-QuickHeal 10.00 2009.10.07 -

ClamAV 0.94.1 2009.10.07 -

Comodo 2526 2009.10.07 -

DrWeb 5.0.0.12182 2009.10.07 -

eSafe 7.0.17.0 2009.10.06 -

eTrust-Vet 35.1.7055 2009.10.07 -

F-Prot 4.5.1.85 2009.10.06 -

F-Secure 8.0.14470.0 2009.10.07 -

Fortinet 3.120.0.0 2009.10.07 -

GData 19 2009.10.07 -

Ikarus T3.1.1.72.0 2009.10.07 -

Jiangmin 11.0.800 2009.10.07 -

K7AntiVirus 7.10.863 2009.10.06 -

Kaspersky 7.0.0.125 2009.10.07 -

McAfee 5763 2009.10.06 -

McAfee+Artemis 5763 2009.10.06 -

McAfee-GW-Edition 6.8.5 2009.10.07 -

Microsoft 1.5101 2009.10.07 -

NOD32 4486 2009.10.07 -

Norman 6.01.09 2009.10.06 -

nProtect 2009.1.8.0 2009.10.07 -

Panda 10.0.2.2 2009.10.06 -

PCTools 4.4.2.0 2009.10.07 -

Prevx 3.0 2009.10.07 -

Rising 21.49.22.00 2009.09.30 -

Sophos 4.45.0 2009.10.07 -

Sunbelt 3.2.1858.2 2009.10.07 -

Symantec 1.4.4.12 2009.10.07 -

TheHacker 6.5.0.2.032 2009.10.06 -

TrendMicro 8.950.0.1094 2009.10.07 -

VBA32 3.12.10.11 2009.10.07 -

ViRobot 2009.10.7.1974 2009.10.07 -

VirusBuster 4.6.5.0 2009.10.06 -

Additional information

File size: 212992 bytes

MD5 : 50d1955bca8825da78fc00f62fbb2b1d

SHA1 : fed45a6f55043a80df063122ad683aa2dfb13066

SHA256: 61e45b3b7b74f327c918a6834a9b535b4f00d0dd2df0f2b04f82b07bf197c42f

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x16AE8

timedatestamp.....: 0x40E48014 (Thu Jul 1 23:20:20 2004)

machinetype.......: 0x14C (Intel I386)

 

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x1883A 0x19000 6.29 3fa575f95a67d11c40bdb9f71bd588d1

.rdata 0x1A000 0x802C 0x9000 4.72 51ee4690f6f516855a2f7c0541b2ce98

.data 0x23000 0x5C0 0x1000 1.90 fdd1dd8c066fff2be9066219365945aa

.rsrc 0x24000 0xF6E0 0x10000 4.81 6a1d022d51e9cf609791f096e89244ee

 

( 0 imports )

 

 

( 0 exports )

 

TrID : File type identification

Win32 Executable MS Visual C++ (generic) (65.2%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

ThreatExpert: http://www.threatexpert.com/report.aspx?md...8fc00f62fbb2b1d

ssdeep: 3072:KL4FqD1ceiQUOhNSenyPWaXj8h+tbOcjc:VgD1czQ/oWaXQh+tbO

PEiD : -

CWSandbox: http://research.sunbelt-software.com/partn...8fc00f62fbb2b1d

RDS : NSRL Reference Data Set

Share this post


Link to post
Share on other sites

I kept checking for an email from PC Pitstop, saying I had a reply but didn't get one this time.

Check the options button at the top of the page, make sure it's set to immediate notification.

 

So far the logs are returning in good shape.

Edited by Juliet

Share this post


Link to post
Share on other sites

Good Morning! Here is my Panda Log:

;***********************************************************************************************************************************************************************************

ANALYSIS: 2009-10-29 06:16:03

PROTECTIONS: 1

MALWARE: 18

SUSPECTS: 0

;***********************************************************************************************************************************************************************************

PROTECTIONS

Description Version Active Updated

;===================================================================================================================================================================================

McAfee VirusScan Yes Yes

;===================================================================================================================================================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===================================================================================================================================================================================

00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@trafficmp[2].txt

00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@247realmedia[2].txt

00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@tribalfusion[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@com[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@ad.yieldmanager[2].txt

00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@serving-sys[2].txt

00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@bs.serving-sys[1].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@server.iad.liveperson[1].txt

00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@ads.pointroll[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@overture[1].txt

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@realmedia[1].txt

00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@questionmarket[2].txt

00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@target[1].txt

00213030 application/regclean32 HackTools No 0 Yes No hkey_current_user\software\registry cleaner

00213030 application/regclean32 HackTools No 0 Yes No c:\documents and settings\owner\application data\registry cleaner

00262020 Cookie/Atwola TrackingCookie No 0 Yes No c:\documents and settings\owner\cookies\owner@atwola[1].txt

00966839 Spyware/Virtumonde Spyware No 1 Yes No c:\program files\viewpoint\viewpoint experience technology\newcomponents\swfview.dll

02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp2\a0000170.sys

02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp3\a0000292.sys

03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp3\a0000385.exe

03074964 Trj/CI.A Virus/Trojan No 0 No No c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp2\a0000140.exe[32788r22fwjfw\exereg.exe]

03074964 Trj/CI.A Virus/Trojan No 0 No No c:\system volume information\_restore{f845e3db-f751-4be4-a620-64f2ca1bfb5f}\rp3\a0000259.exe[32788r22fwjfw\exereg.exe]

03074964 Trj/CI.A Virus/Trojan No 0 No No c:\documents and settings\owner\desktop\sandek1.exe[32788r22fwjfw\exereg.exe]

;===================================================================================================================================================================================

SUSPECTS

Sent Location

;===================================================================================================================================================================================

;===================================================================================================================================================================================

VULNERABILITIES

Id Severity Description

;===================================================================================================================================================================================

;===================================================================================================================================================================================

Share this post


Link to post
Share on other sites

And Finally, my HJT log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:21:01 AM, on 10/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Updater.exe

C:\Program Files\Digital Media Reader\shwiconem.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Palm\Hotsync.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Owner\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ezanga.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R3 - URLSearchHook: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Swag Bucks Toolbar - {8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - C:\Program Files\Swag_Bucks\tbSwag.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [sunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

O4 - HKLM\..\Run: [unlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H

O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: HotSync Manager.LNK = C:\Program Files\Palm\Hotsync.exe

O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: VIP Casino - {3B501CBC-D009-4DAB-ADAF-B882F2F0A447} - C:\Documents and Settings\Owner\Desktop\VIP Casino.lnk (file missing) (HKCU)

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

 

--

End of file - 9212 bytes

Share this post


Link to post
Share on other sites

Welcome back

 

 

That scan actually came back in good shape.

 

 

*****

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - (no file)

 

 

Reboot.

 

 

From what I see we're ready for closing and preventive tips?

Share this post


Link to post
Share on other sites

Hi Juliete! I am so happy that we are almost done with this. You have helped me more than I can say not to mention the money I saved on being able to do this instead of taking my PC to someone to work on.

 

I remover the last 2 items as you suggested and am ready to start the preventative tips. I would like to cancel my McAfee subscription and go with free programs if you think that would be wise, since McAfee failed to catch this and reported nothing afterwards, when I perfomed scans. I am open to your suggestions.

 

Thanks Again,

Kathy :clap:

Share this post


Link to post
Share on other sites

Welcome back Kathy, glad we could help.

 

 

An antivirus can't do it all. Thats why we suggest a layered approach to secure a computer.

 

I'll list the free choices and you can make a decision what to do.

 

 

Let's uninstall Combofix first.

 

Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

 

Go to Start > Run > copy and paste the full text path in the run box

 

Start > Run & typing in ComboFix /Uninstall

 

Note the space between the x and the /u, it needs to be there.

 

Let me know if you receive any error messages.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

I can give you links to free Antivirus and Firewall programs which are used by a very many.

What you'll probably have to do is experiment some what to find one that runs well on your machine.

For antivirus, you might wanna try out the freeware Antivirus -

 

Avira

 

Here is the support and home page.

http://www.free-av.com/en/documentation/index.html

 

Avast!

How to Install, Configure, and Use Avast Antivirus

 

AVG Free ,

http://free.grisoft.com/doc/downloads?prd=aff

This is a very useful read:

http://grandstreamdreams.blogspot.com/2008...-version-8.html

 

Never install more than one antivirus scanner or firewall on your system

 

 

 

 

Your good to go, good job!

 

 

Please take the time to read over a few of my preventive tips.

 

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Firefox 3

The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

 

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

 

How to prevent Malware: Created by Miekiemoes

 

Here are some additional utilities that will further enhance your safety.

# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

 

Scan your computer regularly for malware

Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-

Please note that these products can also be run as free without a licience as a scan on demand scanner.

 

Backup regularly

 

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

 

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

 

Avoid P2P

 

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

 

Please read this article 'Safe Computing Practices'.

So how did I get infected in the first place.

 

Secure My Computer: A Layered Approach

 

Strong passwords: How to create and use them

 

Free Antivirus-AntiSpyware-Firewall Software

 

Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

 

Slow Computer May Not Be Malware Related, Help! My computer is slow!

http://users.telenet.be/bluepatchy/miekiem...owcomputer.html

 

 

PC Safety and Security--What Do I Need?

http://www.techsupportforum.com/security-c...-do-i-need.html

 

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

This site offers people who have been (or are) victims of malware the opportunity to document their story.

 

Extra note:

Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

Share this post


Link to post
Share on other sites

This is great info, Juliet. Thanks again. I will work through these steps and check out your recommendations this weekend and keep you posted. Your help is greatly appreciated as is PC Pitstop! :tup:

Share this post


Link to post
Share on other sites

Thats my fault because we renamed it. :P

 

 

Search for and delete then Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

 

c:\documents and settings\Owner\Desktop\sandek1.exe

 

 

 

 

 

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

 

* Tick on the checkbox - Turn off System Restore on all drives

* Click Apply

 

Turn it back 'On' by unticking the same checkbox & click OK

 

 

See if that works.

Edited by Juliet

Share this post


Link to post
Share on other sites

Thats my fault because we renamed it. :P

Search for and delete then Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

 

c:\documents and settings\Owner\Desktop\sandek1.exe

Go to Start >> Run - type control sysdm.cpl,,4 & press Enter

 

* Tick on the checkbox - Turn off System Restore on all drives

* Click Apply

 

Turn it back 'On' by unticking the same checkbox & click OK

See if that works.

 

That seemed to do the trick! I am still working on making choices for securing my machine and trying out FireFox too. I will keep you posted. Hope you had a Happy Halloween! Thanks again. Kathy :clap:

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

Click here to Read Amazon Reviews!



×