Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Vundo


  • This topic is locked This topic is locked
6 replies to this topic

#1 deeceepee

deeceepee

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 18 May 2008 - 09:01 PM

Deckard's System Scanner v20071014.68
Run by david on 2008-05-19 11:07:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-19 01:37:29 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis (run as david.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:23 AM, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\david\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\david.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {37508CD4-64E0-4C0F-BFBD-FC6292C967BA} - C:\WINDOWS\system32\byXOefDu.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] "C:\Program Files\PowerISO\PWRISOVM.EXE"
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\okbdpicq.dll",b
O4 - HKLM\..\Run: [BM313e2b3d] Rundll32.exe "C:\WINDOWS\system32\oereelmm.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: BlackBerry Desktop Redirector.lnk = C:\Program Files\Research In Motion\BlackBerry\Redirector.exe
O4 - Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ?
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagea...en/preview.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/AXELPlayerAX_Win32.cab
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.ap.blackberry.com/html/web/clie...ls/TOImport.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kpc.local
O17 - HKLM\Software\..\Telephony: DomainName = kpc.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kpc.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kpc.local
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8365 bytes

-- File Associations -----------------------------------------------------------

.js - unable to read key
.js - unable to read key
.txt - unable to read key
.txt - unable to read key


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 SSFS0509 (Spy Sweeper File System Filer Driver: 0509) - c:\windows\system32\drivers\ssfs0509.sys <Not Verified; Webroot Software Inc (www.webroot.com); Spy Sweeper SDK>
R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 PAR1284 - c:\windows\system32\drivers\par1284.sys <Not Verified; Warp Nine Engineering; IEEE 1284 Driver>
R2 PPNT - c:\windows\system32\drivers\ppnt.sys <Not Verified; Corex Technologies Corp.; CardScan>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1039&DEV_6330&SUBSYS_0C5D105B&REV_00\4&1AFFAA3D&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1039&DEV_6330&SUBSYS_0C5D105B&REV_00\4&1AFFAA3D&0&0008
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1039&DEV_7012&SUBSYS_0C5D105B&REV_A0\3&61AAA01&0&17
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1039&DEV_7012&SUBSYS_0C5D105B&REV_A0\3&61AAA01&0&17
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-05-16 13:38:16 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-05-06 13:26:20 406 --a------ C:\WINDOWS\Tasks\Pareto UNS.job


-- Files created between 2008-04-19 and 2008-05-19 -----------------------------

2008-05-19 11:09:59 0 d-------- C:\Program Files\Trend Micro
2008-05-19 11:06:49 0 d-------- \Deckard
2008-05-19 10:50:11 0 d-------- C:\Program Files\Adware Away
2008-05-19 10:46:43 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-19 10:46:19 0 d-------- C:\Documents and Settings\david\Application Data\Mozilla
2008-05-19 10:08:10 0 d-------- C:\WINDOWS\LastGood
2008-05-19 10:02:45 0 d-------- C:\Program Files\Enigma Software Group
2008-05-19 08:57:15 25460 --a------ C:\WINDOWS\system32\qenishmj.dll
2008-05-19 08:54:16 2112 --a------ C:\WINDOWS\system32\fvqddkkd.exe
2008-05-19 08:51:26 92736 --a------ C:\WINDOWS\system32\okbdpicq.dll
2008-05-19 08:51:12 98880 --a------ C:\WINDOWS\system32\oereelmm.dll
2008-05-19 08:48:10 3648 --a------ C:\WINDOWS\system32\odrpfcou.dll
2008-05-17 11:18:52 2112 --a------ C:\WINDOWS\system32\jylffamb.exe
2008-05-17 11:18:31 31140 --a------ C:\WINDOWS\system32\chpfehjf.dll
2008-05-17 10:53:55 96832 --a------ C:\WINDOWS\system32\hslcwekf.dll
2008-05-17 10:50:53 3648 --a------ C:\WINDOWS\system32\udtdgtnb.dll
2008-05-16 10:59:55 2112 --a------ C:\WINDOWS\system32\vlhiwsud.exe
2008-05-16 10:53:52 29596 --a------ C:\WINDOWS\system32\wnbijhjc.dll
2008-05-16 10:50:52 99904 --a------ C:\WINDOWS\system32\ewetlaea.dll
2008-05-16 10:47:52 3648 --a------ C:\WINDOWS\system32\mlnvytrr.dll
2008-05-15 10:49:52 29596 --a------ C:\WINDOWS\system32\jcvyouyd.dll
2008-05-15 10:47:57 2112 --a------ C:\WINDOWS\system32\wtengnyj.exe
2008-05-15 10:47:14 96832 --a------ C:\WINDOWS\system32\gvwjugke.dll
2008-05-15 10:47:06 3648 --a------ C:\WINDOWS\system32\qjehouqo.dll
2008-05-14 10:54:05 31016 --a------ C:\WINDOWS\system32\imqbbujg.dll
2008-05-14 10:51:19 2112 --a------ C:\WINDOWS\system32\beilbthq.exe
2008-05-14 10:48:08 100928 --a------ C:\WINDOWS\system32\ilokmaax.dll
2008-05-14 10:48:06 3648 --a------ C:\WINDOWS\system32\irqhjwpa.dll
2008-05-13 09:46:40 2112 --a------ C:\WINDOWS\system32\kxoeubih.exe
2008-05-13 09:46:23 31016 --a------ C:\WINDOWS\system32\vfjwages.dll
2008-05-13 09:43:48 3648 --a------ C:\WINDOWS\system32\bknvpjoq.dll
2008-05-13 09:43:36 100416 --a------ C:\WINDOWS\system32\dhefjlns.dll
2008-05-12 11:19:01 0 d-------- C:\Program Files\Lavasoft
2008-05-12 11:18:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-12 11:18:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-12 09:48:08 2112 --a------ C:\WINDOWS\system32\pmcknvle.exe
2008-05-12 09:47:13 29596 --a------ C:\WINDOWS\system32\vtmclejp.dll
2008-05-12 09:44:15 98368 --a------ C:\WINDOWS\system32\vkdtfcrw.dll
2008-05-12 08:50:13 26880 --a------ C:\WINDOWS\system32\dquvgabf.dll
2008-05-12 08:47:14 2112 --a------ C:\WINDOWS\system32\lqqqqtip.exe
2008-05-09 14:42:57 29596 --a------ C:\WINDOWS\system32\jnxjkovm.dll
2008-05-09 14:40:22 2112 --a------ C:\WINDOWS\system32\gmlppdlv.exe
2008-05-09 14:39:54 99904 --a------ C:\WINDOWS\system32\jbwghfnx.dll
2008-05-08 14:41:40 2112 --a------ C:\WINDOWS\system32\phyrswjt.exe
2008-05-08 14:39:18 21076 --a------ C:\WINDOWS\system32\sklycjbo.dll
2008-05-08 14:39:09 105024 --a------ C:\WINDOWS\system32\vfdkoiul.dll
2008-05-08 14:23:46 2112 --a------ C:\WINDOWS\system32\hohoawpc.exe
2008-05-08 14:21:00 31016 --a------ C:\WINDOWS\system32\oggnnedb.dll
2008-05-08 14:20:43 105024 --a------ C:\WINDOWS\system32\cbdtmcvm.dll
2008-05-07 15:29:22 0 d-------- C:\Program Files\Common Files\Java
2008-05-07 14:23:37 31016 --a------ C:\WINDOWS\system32\ghxxuexu.dll
2008-05-07 14:23:24 2112 --a------ C:\WINDOWS\system32\lpyqovta.exe
2008-05-07 14:19:51 104512 --a------ C:\WINDOWS\system32\jkmwnhpi.dll
2008-05-06 14:43:48 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-06 14:42:04 0 d--hs---- \FOUND.002
2008-05-06 14:23:16 31016 --a------ C:\WINDOWS\system32\tavnrgan.dll
2008-05-06 14:20:33 96832 --a------ C:\WINDOWS\system32\graoedwy.dll
2008-05-06 13:42:26 0 d-------- \VundoFix Backups
2008-05-06 13:26:12 0 d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-05-05 14:20:42 26756 --a------ C:\WINDOWS\system32\oupogvxe.dll
2008-05-02 08:47:10 0 d-------- \quarantine
2008-05-02 08:47:03 31016 --a------ C:\WINDOWS\system32\wbxqteta.dll
2008-05-01 15:10:32 0 d-------- C:\Documents and Settings\LocalService\Application Data\Real
2008-05-01 15:09:47 0 d-------- C:\Documents and Settings\LocalService\Application Data\Ipswitch
2008-05-01 15:09:09 0 d--h----- C:\Documents and Settings\LocalService\SendTo
2008-05-01 15:07:58 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities
2008-05-01 15:05:41 0 dr------- C:\Documents and Settings\LocalService\My Documents
2008-05-01 15:05:30 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-01 15:05:27 0 dr-h----- C:\Documents and Settings\LocalService\Recent
2008-05-01 15:05:26 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-05-01 15:05:26 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-05-01 14:05:23 593909 --ahs---- C:\WINDOWS\system32\uDfeOXyb.ini2
2008-05-01 14:05:09 283136 --a------ C:\WINDOWS\system32\byXOefDu.dll
2008-05-01 13:43:04 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-01 13:11:02 0 d-------- C:\Documents and Settings\david\Application Data\Photo2Sketch
2008-05-01 13:10:16 0 d-------- \Photo Sketch Maker


-- Find3M Report ---------------------------------------------------------------

2008-05-19 09:56:00 754974720 --ahs---- \pagefile.sys
2008-05-15 12:59:04 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-26 12:05:24 0 d-------- C:\Program Files\PowerISO
2008-02-20 10:59:40 1901 --a------ C:\WINDOWS\panose.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37508CD4-64E0-4C0F-BFBD-FC6292C967BA}]
01/05/2008 02:05 PM 283136 --a------ C:\WINDOWS\system32\byXOefDu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [18/08/2004 08:00 AM]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 03:50 AM]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 09:48 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [22/07/2005 10:45 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [18/10/2006 08:50 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [25/10/2006 06:58 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/10/2006 09:36 AM]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [15/03/2008 10:21 AM]
"320d18a1"="C:\WINDOWS\system32\okbdpicq.dll" [19/05/2008 08:51 AM]
"BM313e2b3d"="C:\WINDOWS\system32\oereelmm.dll" [19/05/2008 08:51 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [04/01/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00 PM]

C:\Documents and Settings\david\Start Menu\Programs\Startup\
BlackBerry Desktop Redirector.lnk - C:\Program Files\Research In Motion\BlackBerry\Redirector.exe [27/08/2006 11:38:52 AM]
Desktop Manager.lnk - C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe [27/08/2006 11:38:50 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [21/01/2000 1:15:54 AM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [15/07/2005 9:40:40 AM]
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [15/07/2005 9:40:40 AM]
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 1:19:50 AM]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [24/09/2005 3:35:26 PM]
NETGEAR WG311v3 Smart Wizard.lnk - C:\WINDOWS\Installer\{70014586-7BBA-4A92-A610-CDC896C48F8F}\NewShortcut1_1.exe [2/05/2007 2:57:44 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOefDu

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

*Newly Created Service* - ENTDRV51
*Newly Created Service* - MCHINJDRV



-- End of Deckard's System Scanner: finished at 2008-05-19 11:14:52 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.80GHz
Percentage of Memory in Use: 56%
Physical Memory (total/avail): 479.48 MiB / 210.07 MiB
Pagefile Memory (total/avail): 1122.41 MiB / 706.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.27 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 34.26 GiB total, 10.29 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
K: is Network (NTFS)
M: is Network (NTFS)
P: is Network (NTFS)
S: is Network (NTFS)
T: is Network (NTFS)
U: is Network (NTFS)

\\.\PHYSICALDRIVE0 - ST340014A - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 34.27 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE"="C:\\Program Files\\Microsoft Office\\Office\\EXCEL.EXE:*:Enabled:Microsoft Excel for Windows"
"C:\\WINDOWS\\EXPLORER.EXE"="C:\\WINDOWS\\EXPLORER.EXE:*:Enabled:Windows Explorer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe"="C:\\Program Files\\Ipswitch\\WS_FTP Home\\wsftpgui.exe:*:Enabled:WS_FTP Pro Application"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\IBP 9\\IBP.exe"="C:\\Program Files\\IBP 9\\IBP.exe:*:Enabled:Internet Business Promoter (IBP)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ADMIN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
LOGONSERVER=\\SERVER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\PROGRA~1\REALWRKS;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
USERPROFILE=C:\Documents and Settings\david
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Hana (admin)
Administrator (admin)
admin (admin)
david (admin)
robyn (new local, admin, net ready)
karen (admin)
administrator.KPC (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Illustrator 8.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Illustrator 8.0\Uninst.dll"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe PageMaker 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\PageMaker 7.0\Uninst.isu" -c"C:\Program Files\Adobe\PageMaker 7.0\Uninst.dll"
Adobe Photoshop 5.5 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.5\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 5.5\Uninst.dll"
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Adware Away v3.1.3 --> "C:\Program Files\Adware Away\unins000.exe"
Amara - Flash Intro and Banner Builder --> "C:\Program Files\Amara - Flash Intro and Banner Builder\uninstall.exe"
Anfy --> C:\PROGRA~1\ANFYTEAM\UNWISE.EXE C:\PROGRA~1\ANFYTEAM\INSTALL.LOG
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
AVS Audio Converter version 5.1 --> "C:\Program Files\AVS4YOU\AVSAudioConverter\unins000.exe"
AVS4YOU Software Navigator 1.2 --> "C:\Program Files\AVS4YOU\AVSSoftwareNavigator\unins000.exe"
BlackBerry Desktop Software 4.2 --> MsiExec.exe /I{3B7DAD74-8F16-4AEF-B0CA-4072CB1BF9AA}
BlackBerry Desktop Software 4.2 --> MsiExec.exe /i{3B7DAD74-8F16-4AEF-B0CA-4072CB1BF9AA}
CardScan 6.0.6 --> MsiExec.exe /X{DCB63CEC-C6A3-4963-A5D0-6C03EE0CC08F}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IBP & ARELIS 9.7.1 --> "C:\Program Files\IBP 9\unins000.exe"
intelliScore Polyphonic WAV to MIDI Converter Demo --> C:\Program Files\intelliScore Polyphonic WAV to MIDI Converter Demo\Uninstal.exe
Ipswitch WS_FTP Home --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{11DE2361-9F73-47B3-B638-2F267927E307}\setup.exe" -l0x9
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Dreamweaver MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Fireworks MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E583ED6F-BD99-4066-A420-C815BF692B69}\Setup.exe" -l0x9 UNINSTALL
Macromedia Flash MX 2004 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Macromedia FreeHand MXa --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{939740B5-0064-4779-854A-8C1086181C05}\Setup.exe" -l0x9 UNINSTALL
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Office Outlook 2003 --> MsiExec.exe /I{90E00409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
NETGEAR WG311v3 PCI Adapter --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{70014586-7BBA-4A92-A610-CDC896C48F8F}
Photo Sketch Maker 1.32 --> "C:\Photo Sketch Maker\unins000.exe"
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
REALworks 1.3 --> C:\PROGRA~1\REALWRKS\UNWISE.EXE C:\PROGRA~1\REALWRKS\INSTALL.LOG
Sothink SWF Easy --> "C:\Program Files\SourceTec\Sothink Glanda 2005\unins000.exe"
Spy Sweeper --> "C:\Program Files\Webroot\Spy Sweeper\unins000.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type5662 / Warning
Event Submitted/Written: 05/19/2008 11:12:51 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ADMIN IP 192.168.0.62 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type5661 / Warning
Event Submitted/Written: 05/19/2008 11:12:47 AM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from ADMIN IP 192.168.0.62 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type5656 / Error
Event Submitted/Written: 05/19/2008 09:57:33 AM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for local system failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type5653 / Error
Event Submitted/Written: 05/19/2008 09:56:50 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type5651 / Error
Event Submitted/Written: 05/19/2008 09:56:28 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type64870 / Warning
Event Submitted/Written: 05/19/2008 11:01:49 AM
Event ID/Source: 11191 / DnsApi
Event Description:
The system failed to update and remove pointer (PTR) resource records (RRs)
for network adapter
with settings:


Adapter Name : {9C35D1B0-77B6-4530-8B18-FE186FB4EFEF}

Host Name : admin

Adapter-specific Domain Suffix : kpc.local

DNS server list :

192.168.0.1

Sent update to server : <?>

IP Address : 192.1.1.1


The system could not remove these PTR RRs because because of a system
problem. For specific error code, see the record data displayed below.

Event Record #/Type64869 / Warning
Event Submitted/Written: 05/19/2008 11:01:49 AM
Event ID/Source: 11197 / DnsApi
Event Description:
The system failed to update and remove host (A) resource records (RRs)
for network adapter
with settings:


Adapter Name : {9C35D1B0-77B6-4530-8B18-FE186FB4EFEF}

Host Name : admin

Primary Domain Suffix : kpc.local

DNS server list :

192.168.0.1

Sent update to server : 192.1.1.1

IP Address(es) :

192.168.0.62


The reason the update request failed was because of a system problem.
For specific error code, see the record data displayed below.

Event Record #/Type64865 / Warning
Event Submitted/Written: 05/19/2008 10:44:36 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type64864 / Warning
Event Submitted/Written: 05/19/2008 10:44:36 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.

Event Record #/Type64856 / Warning
Event Submitted/Written: 05/19/2008 10:02:09 AM
Event ID/Source: 3019 / MRxSmb
Event Description:
The redirector failed to determine the connection type.



-- End of Deckard's System Scanner: finished at 2008-05-19 11:14:52 ------------

:thumbsup: :)

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:51 PM

Posted 19 May 2008 - 07:32 AM

Hello Deeceepee and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you .

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 deeceepee

deeceepee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 19 May 2008 - 07:00 PM

Malwarebytes' Anti-Malware 1.12
Database version: 768

Scan type: Quick Scan
Objects scanned: 48316
Time elapsed: 11 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 9
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 61

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\byXOefDu.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\okbdpicq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\ounvvkwf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\__c003EA4C.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{55f005b7-dfda-4704-93ea-03d203b0ea6f} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{55f005b7-dfda-4704-93ea-03d203b0ea6f} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adware away v3.1.3_is1 (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\320d18a1 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7f3ea905-de65-4d00-bc1f-ff3a77f8ca30} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM313e2b3d (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxoefdu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxoefdu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\__c003ea4c.dat -> Delete on reboot.

Folders Infected:
C:\Program Files\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away (Rogue.AdwareAway) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\graoedwy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ywdeoarg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXOefDu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\uDfeOXyb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uDfeOXyb.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\okbdpicq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qcipdbko.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ounvvkwf.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fwkvvnuo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\odrpfcou.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\irqhjwpa.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bknvpjoq.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlnvytrr.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjehouqo.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\udtdgtnb.dll (Trojan.AVKiller) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.dat (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\unins000.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdwareAway.chm (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\global.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\AdAway.dll (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EProcess.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumAutoRun.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\EnumDlls.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ScanAtStartup.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\screenshot.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\FixDesktopBackground.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\Update2.exe (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\overall.log (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\process.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\service.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\svchostdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\lsp.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\autorun.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\sysrestriction.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iepage.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlprefix.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ieurlsearchhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\iebhotoolbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\protocolfilter.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\notifydll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextension.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\shellextensionhook.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\explorerbar.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\folderdll.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\fa.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\uninstall.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\ietoolbarbutton.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\activex.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\proxy.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\nameserver.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Program Files\Adware Away\securitysite.tmp (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\User Manual.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Update.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Adware Away\Uninstall.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qfckqheg.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c003EA4C.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\jcvyouyd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\adaway.lic (Rogue.AdwareAway) -> Quarantined and deleted successfully.
C:\Documents and Settings\david\Desktop\Adware Away.lnk (Rogue.AdwareAway) -> Quarantined and deleted successfully.
:thumbsup:

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:51 AM

Posted 21 May 2008 - 10:56 PM

Hello deeceepee,

I have merged your new topic containing the MalwareBytes log to your original HJT log topic. Please keep your replies to this thread by using the Add Reply button found at the bottom right of the topic. Creating new topics confuses things and delays the assistance you receive.

Please be sure to follow ALL of Thunder's directions in post 2 of this thread and ask if you have any questions or problems.

Back to you Thunder.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 deeceepee

deeceepee
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:21 AM

Posted 21 May 2008 - 11:04 PM

Sorry for being so green. Many thanks to you and thunder. You guys are the best. :thumbsup:

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:51 PM

Posted 22 May 2008 - 02:03 AM

Hello Deeceepee,

Did you run ComboFix as well ?
Can I see the ComboFix log please ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:04:51 PM

Posted 19 June 2008 - 08:07 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users