Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tried MalwareBytes..


  • This topic is locked This topic is locked
34 replies to this topic

#1 djay72

djay72

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 02 December 2008 - 09:54 PM

Mod. edit. For additional information, please read this topic: http://www.bleepingcomputer.com/forums/t/182622/cant-figure-this-one-out/ ~ OB

For about a week and a half my puter has been real slow, and my browser has been redirecting me to various sites (opening a new tab in Firefox) It usually starts by opening a pop window to Antivirus 2009, I "x" out of that, but when I come back to my browser another tab is open, and running the antivirus 2009 scan. I have run Malwarebytes, and I find infected files and registry entries, malware cleans them, then I reboot, and the computer runs fine, til I turn it off...then when I get on later,..right back on they are. I am running XP Pro SP1. (Cant seem to dl any of the other sp's) On a side note I ran RSIT but only get the log? Not sure what thats about. I need to be very careful about certain info...my wife does billing work for Hershey Med and she does some of this work from this computer.
Thanks guys for the help!!!
I am posting both the Malware log and the HJT log. Here's hoping someone can help.

Malware first....

Malwarebytes' Anti-Malware 1.30
Database version: 1417
Windows 5.1.2600 Service Pack 1

12/2/2008 8:58:11 PM
mbam-log-2008-12-02 (20-58-11).txt

Scan type: Quick Scan
Objects scanned: 56512
Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\vohohoga.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6cfacc67 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6fc9fffb (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gutalukidu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\vohohoga.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\vohohoga.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tositiwe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewitisot.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\vohohoga.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\gobekado.dll (Trojan.Agent) -> Quarantined and deleted successfully.



HJT......


Logfile of random's system information tool 1.04 (written by random/random)
Run by JP at 2008-12-02 21:45:34
Microsoft Windows XP Professional Service Pack 1
System drive C: has 646 MB (6%) free of 10 GB
Total RAM: 2047 MB (78% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:37 PM, on 12/2/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Advanced System Optimizer\adblock.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\Hotsync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxddserv.exe
C:\WINDOWS\System32\lxddcoms.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JP\Desktop\RSIT.exe
C:\Program Files\trend micro\JP.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - D:\Program Files\Advanced System Optimizer\iehelper.dll
O2 - BHO: (no name) - {f86aff27-b2b4-4799-a325-95d7f64e9f4b} - C:\WINDOWS\System32\vopegoze.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [HotSync] "C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [PhotoExplosionCalCheck] D:\Program Files\calcheck.exe
O4 - HKLM\..\Run: [CPM6fc9fffb] Rundll32.exe "c:\windows\system32\vohohoga.dll",a
O4 - HKLM\..\Run: [gutalukidu] Rundll32.exe "C:\WINDOWS\System32\gobekado.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\malware\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Systweak Ad and Popup Blocker] "D:\Program Files\Advanced System Optimizer\adblock.exe"
O4 - HKUS\S-1-5-19\..\Run: [gutalukidu] Rundll32.exe "C:\WINDOWS\System32\gobekado.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [gutalukidu] Rundll32.exe "C:\WINDOWS\System32\gobekado.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/064822aaff7a43...ip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121397297750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1121398020640
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {7F9B30F1-5129-4F5C-A76C-CE264A6C7D10} (Hummingbird Component Deployment) - http://infonet.hmc.psu.edu/terminal/Packag...ployrun.eng.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab40746.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.hersheymed.net/dana-cached/s...perSetupSP1.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - https://music.msn.com/client/msnmusax4227.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\pebiwago.dll c:\windows\system32\vohohoga.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vohohoga.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vohohoga.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\System32\lxddcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10522 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}]
Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2006-08-09 184320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CF7C3CF0-4B15-11D1-ABED-709549C10000}]
IEPlugin Class - D:\Program Files\Advanced System Optimizer\iehelper.dll [2004-05-08 83456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f86aff27-b2b4-4799-a325-95d7f64e9f4b}]
C:\WINDOWS\System32\vopegoze.dll [2008-09-02 64052]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll []
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\system32\msdxm.ocx [2003-09-17 844048]
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} - Lexmark Toolbar - C:\Program Files\Lexmark Toolbar\toolband.dll [2006-08-09 184320]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-01-13 98304]
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe [2001-08-16 28738]
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe [2001-10-05 24576]
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe [2001-08-23 331830]
"AdaptecDirectCD"=C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe [2001-09-27 659456]
"NvCplDaemon"=C:\WINDOWS\System32\NvCpl.dll [2005-02-24 5537792]
"nwiz"=nwiz.exe /install []
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"NvMediaCenter"=C:\WINDOWS\System32\NvMcTray.dll [2005-02-24 86016]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-07-17 266497]
"HotSync"=C:\Program Files\PalmSource\Desktop\HotSync.exe -AllUsers []
"lxddmon.exe"=C:\Program Files\Lexmark 2500 Series\lxddmon.exe [2007-06-11 291760]
"lxddamon"=C:\Program Files\Lexmark 2500 Series\lxddamon.exe [2007-04-30 20480]
"FaxCenterServer"=C:\Program Files\Lexmark Fax Solutions\fm3032.exe [2007-06-11 312240]
"PhotoExplosionCalCheck"=D:\Program Files\calcheck.exe [2006-09-20 69632]
"CPM6fc9fffb"=c:\windows\system32\vohohoga.dll [2008-12-02 93236]
"gutalukidu"=C:\WINDOWS\System32\gobekado.dll []
"Malwarebytes Anti-Malware (reboot)"=D:\Program Files\malware\Malwarebytes' Anti-Malware\mbam.exe [2008-10-22 1261200]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\System32\ctfmon.exe [2002-08-29 13312]
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472]
"Systweak Ad and Popup Blocker"=D:\Program Files\Advanced System Optimizer\adblock.exe [2004-05-09 409600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HotSync Manager.lnk - D:\Program Files\Hotsync.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINDOWS\System32\pebiwago.dll c:\windows\system32\vohohoga.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vohohoga.dll [2008-12-02 93236]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\vohohoga.dll [2008-12-02 93236]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=
scecli
scecli
scecli
C:\WINDOWS\System32\pebiwago.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.scr - open - "%1" /S "%3"

======List of files/folders created in the last 1 months======

2008-12-02 21:07:09 ----D---- C:\Program Files\trend micro
2008-12-02 21:07:08 ----D---- C:\rsit
2008-12-02 20:58:17 ----A---- C:\WINDOWS\System32\sckgm.txt
2008-11-29 22:19:34 ----A---- C:\WINDOWS\System32\sasnative32.exe
2008-11-28 19:43:55 ----D---- C:\WINDOWS\ERUNT
2008-11-28 19:40:24 ----D---- C:\SDFix
2008-11-28 17:40:41 ----A---- C:\WINDOWS\akfrw.txt
2008-11-23 09:44:03 ----SH---- C:\WINDOWS\System32\ifabobef.ini
2008-11-23 08:48:50 ----D---- C:\Documents and Settings\JP\Application Data\Malwarebytes
2008-11-23 08:48:42 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2EA8.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2EA3.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2EA0.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E9B.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E98.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E93.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E90.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E8B.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E88.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E83.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E80.tmp.LOG
2008-11-22 14:21:39 ----AH---- C:\WINDOWS\System32\RO2E7B.tmp.LOG
2008-11-22 14:09:57 ----A---- C:\WINDOWS\System32\RO2E7B.tmp
2008-11-12 18:12:16 ----D---- C:\scenery
2008-11-12 18:12:16 ----D---- C:\MTA
2008-11-12 18:12:14 ----D---- C:\Gauges
2008-11-12 18:12:14 ----D---- C:\Effects
2008-11-12 18:12:12 ----D---- C:\Modules
2008-11-12 18:12:12 ----D---- C:\Aircraft
2008-11-12 18:12:11 ----D---- C:\LAGO

======List of files/folders modified in the last 1 months======

2008-12-02 21:34:45 ----D---- C:\Program Files\Mozilla Firefox
2008-12-02 21:08:29 ----D---- C:\WINDOWS\Prefetch
2008-12-02 21:07:09 ----RD---- C:\Program Files
2008-12-02 20:58:17 ----D---- C:\WINDOWS\System32\drivers
2008-12-02 20:58:17 ----D---- C:\WINDOWS\system32
2008-12-02 20:56:23 ----D---- C:\WINDOWS\Temp
2008-12-02 20:55:37 ----D---- C:\WINDOWS\System32\CatRoot2
2008-12-02 20:47:00 ----A---- C:\Documents and Settings\All Users\Application Data\DirectCDUserName.txt
2008-12-02 20:35:12 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-12-02 19:43:14 ----N---- C:\WINDOWS\System32\vohohoga.dll
2008-12-02 19:43:11 ----ASH---- C:\WINDOWS\System32\bonipola.dll
2008-12-02 18:30:55 ----D---- C:\WINDOWS
2008-12-02 18:13:37 ----D---- C:\Program Files\Lx_cats
2008-12-02 07:42:47 ----ASH---- C:\WINDOWS\System32\bohotute.dll
2008-12-02 07:42:46 ----ASH---- C:\WINDOWS\System32\vikuzeja.dll
2008-12-02 07:42:46 ----ASH---- C:\WINDOWS\System32\honayoto.dll
2008-12-01 14:43:56 ----ASH---- C:\WINDOWS\System32\niyihifi.dll
2008-12-01 14:43:56 ----ASH---- C:\WINDOWS\System32\golorojo.dll
2008-11-30 21:09:16 ----ASH---- C:\WINDOWS\System32\dinizuha.dll
2008-11-30 09:09:03 ----ASH---- C:\WINDOWS\System32\podezowu.dll
2008-11-29 22:06:16 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-29 09:04:32 ----AC---- C:\WINDOWS\System32\PerfStringBackup.INI
2008-11-28 19:49:23 ----RSHDC---- C:\WINDOWS\System32\dllcache
2008-11-26 15:15:09 ----D---- C:\Documents and Settings\JP\Application Data\LimeWire
2008-11-26 15:14:58 ----D---- C:\Documents and Settings\JP\Application Data\uTorrent
2008-11-24 19:50:37 ----AC---- C:\WINDOWS\WORDPAD.INI
2008-11-23 16:34:49 ----AC---- C:\WINDOWS\cdplayer.ini
2008-11-23 12:10:52 ----AC---- C:\WINDOWS\ModemLog_BCM V.90 56K Modem.txt
2008-11-23 08:08:17 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 14:21:39 ----D---- C:\WINDOWS\System32\config
2008-11-22 09:33:55 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-11-22 09:33:28 ----SHD---- C:\WINDOWS\Installer
2008-11-22 09:32:21 ----D---- C:\Program Files\Lavasoft
2008-11-22 09:31:59 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-12 18:12:11 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-12 17:15:51 ----SD---- C:\Documents and Settings\JP\Application Data\Microsoft

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgntdd;avgntdd; C:\WINDOWS\SYSTEM32\DRIVERS\avgntdd.sys [2008-07-17 45376]
R1 avipbb;avipbb; C:\WINDOWS\System32\DRIVERS\avipbb.sys [2008-11-25 75072]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\System32\drivers\Cdr4_xp.sys [2007-10-19 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\System32\drivers\Cdralw2k.sys [2007-10-19 9464]
R1 cdudf_xp;cdudf_xp; C:\WINDOWS\System32\drivers\cdudf_xp.sys [2001-09-24 233344]
R1 NEOFLTR_550_12029;Juniper Networks TDI Filter Driver (NEOFLTR_550_12029); \??\C:\WINDOWS\System32\Drivers\NEOFLTR_550_12029.SYS []
R1 prodrv06;StarForce Protection Environment Driver v6; C:\WINDOWS\System32\drivers\prodrv06.sys [2006-12-23 80768]
R1 pwd_2K;pwd_2K; C:\WINDOWS\System32\drivers\pwd_2K.sys [2001-09-24 78486]
R1 ssmdrv;ssmdrv; C:\WINDOWS\System32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R1 UdfReadr_xp;UdfReadr_xp; C:\WINDOWS\System32\drivers\UdfReadr_xp.sys [2001-09-24 205824]
R2 ACEDRV05;ACEDRV05; \??\C:\WINDOWS\System32\drivers\ACEDRV05.sys []
R2 aslm75;aslm75; \??\C:\WINDOWS\system32\drivers\aslm75.sys []
R2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 BCMModem;BCM V.90 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMDM.sys [2001-08-17 871388]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mmc_2K;mmc_2K; C:\WINDOWS\System32\drivers\mmc_2K.sys [2001-09-24 19158]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2005-02-24 3454144]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2002-08-29 28160]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2002-08-29 19328]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2002-08-29 51968]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2002-08-29 24960]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2002-08-29 14208]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2002-08-29 19328]
R3 yukonwxp;NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller; C:\WINDOWS\System32\DRIVERS\yk51x86.sys [2005-09-19 241280]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 catchme;catchme; \??\C:\DOCUME~1\JP\LOCALS~1\Temp\catchme.sys []
S3 dvd_2K;dvd_2K; C:\WINDOWS\System32\drivers\dvd_2K.sys [2001-09-24 17958]
S3 iscFlash;iscFlash; \??\C:\WINDOWS\SYSTEM32\DRIVERS\iscflash.sys []
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2007-12-04 16640]
S3 samhid;samhid; C:\WINDOWS\system32\drivers\samhid.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2002-08-29 21760]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2004-09-22 18944]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-07-07 611664]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-23 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-23 151297]
R2 lxdd_device;lxdd_device; C:\WINDOWS\System32\lxddcoms.exe [2007-05-25 537520]
R2 lxddCATSCustConnectService;lxddCATSCustConnectService; C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-05-25 99248]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\System32\nvsvc32.exe [2005-02-24 127043]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\System32\PnkBstrA.exe [2007-11-28 66872]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2004-09-22 38912]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-03 69632]

-----------------EOF-----------------

Edited by Orange Blossom, 02 December 2008 - 10:31 PM.


BC AdBot (Login to Remove)

 


#2 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 03 December 2008 - 07:14 AM

I apologize mods...I forgot to set my notification to email...its is done now.

#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 07 December 2008 - 04:18 PM

Hello, djay72
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We need to create an OTViewIt Report
  • Please download OTViewIt by OldTimer.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
  • OTViewIt.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
We need to scan for Rootkits with GMER
  • Please download GMER from one of the following mirrors:
  • Close any and all open programs, as this process may crash your computer.
  • Unzip the downloaded file to your desktop.
  • Double click Posted Image on your desktop.
  • Allow the gmer.sys driver to load if asked.
  • You may see this window. If you do, click No.
    Posted Image
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.
In your next reply, please include the following:
  • OTViewIt.txt
  • Extra.txt
  • GMER's Log


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 08 December 2008 - 08:04 AM

Thanks so much for the reply Bill, Here's hoping we can get this figured out. Here are the logs you requested.....

OTViewIt logfile created on: 12/8/2008 7:23:53 AM - Run 2
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\JP\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.60 Gb Available Physical Memory | 79.82% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): E:\pagefile.sys 4000 4000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 0.55 Gb Free Space | 5.48% Space Free | Partition Type: NTFS
Drive D: | 20.00 Gb Total Space | 15.74 Gb Free Space | 78.72% Space Free | Partition Type: NTFS
Drive E: | 44.53 Gb Total Space | 7.33 Gb Free Space | 16.46% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PRICEJEFF
Current User Name: JP
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
[2008/10/23 11:37:45 | 00,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
[2001/08/16 22:41:58 | 00,028,738 | ---- | M] (Microsoft® Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[2008/10/23 11:37:48 | 00,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
[2007/05/25 04:41:53 | 00,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddserv.exe
[2001/09/27 16:33:38 | 00,659,456 | ---- | M] (Roxio) -- C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\Directcd.exe
[2008/06/10 03:27:04 | 00,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
[2008/07/17 19:45:29 | 00,266,497 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
[2007/06/11 14:27:23 | 00,291,760 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddmon.exe
[2007/04/30 03:19:53 | 00,020,480 | ---- | M] () -- C:\Program Files\Lexmark 2500 Series\lxddamon.exe
[2006/09/20 10:54:24 | 00,069,632 | ---- | M] (Ulead Systems, Inc.) -- D:\Program Files\CalCheck.exe
[2007/05/25 04:41:37 | 00,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe
[2005/02/24 06:32:00 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
[2007/11/28 16:11:20 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe
[2002/09/20 16:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
[2004/05/09 00:27:36 | 00,409,600 | ---- | M] (Systweak Inc) -- D:\Program Files\Advanced System Optimizer\adblock.exe
[2004/09/22 17:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2008/01/03 17:28:08 | 01,392,640 | R--- | M] (PalmSource, Inc) -- D:\Program Files\Hotsync.exe
[2001/08/07 18:06:54 | 00,024,633 | ---- | M] (Microsoft® Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
[2008/11/12 22:27:14 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
[2008/12/08 07:22:02 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JP\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/07 08:15:18 | 00,611,664 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe -- (aawservice [Auto | Running])
[2008/10/23 11:37:48 | 00,068,865 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe -- (AntiVirScheduler [Auto | Running])
[2008/10/23 11:37:45 | 00,151,297 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe -- (AntiVirService [Auto | Running])
[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
[2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2001/08/10 13:14:14 | 00,192,512 | ---- | M] (Roxio Inc.) -- C:\WINDOWS\system32\ImapiRox.exe -- (ImapiService [On_Demand | Stopped])
[2007/05/25 04:41:53 | 00,099,248 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxddserv.exe -- (lxddCATSCustConnectService [Auto | Running])
[2007/05/25 04:41:37 | 00,537,520 | ---- | M] ( ) -- C:\WINDOWS\system32\lxddcoms.exe -- (lxdd_device [Auto | Running])
[2005/02/24 06:32:00 | 00,127,043 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
[2007/11/28 16:11:20 | 00,066,872 | ---- | M] () -- C:\WINDOWS\system32\PnkBstrA.exe -- (PnkBstrA [Auto | Running])
[2002/09/20 16:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Auto | Running])
[2004/09/22 17:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

========== Driver Services ==========

[2007/01/05 21:28:46 | 00,097,792 | ---- | M] (Protect Software GmbH) -- C:\WINDOWS\system32\drivers\ACEDRV05.sys -- (ACEDRV05 [Auto | Running])
[2002/04/01 14:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
[1997/04/22 10:16:00 | 00,006,272 | ---- | M] () -- C:\WINDOWS\system32\drivers\ASLM75.SYS -- (aslm75 [Auto | Running])
[2008/07/17 19:45:29 | 00,045,376 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avgntdd.sys -- (avgntdd [System | Running])
[2008/04/17 18:18:07 | 00,022,336 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avgntmgr.sys -- (avgntmgr [Boot | Running])
[2008/11/25 22:54:32 | 00,075,072 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb [System | Running])
[2001/08/17 08:28:00 | 00,871,388 | ---- | M] (BCM) -- C:\WINDOWS\system32\drivers\BCMDM.sys -- (BCMModem [On_Demand | Running])
[2007/10/19 19:56:10 | 00,009,336 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp [System | Running])
[2007/10/19 19:56:12 | 00,009,464 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k [System | Running])
[2001/09/24 11:27:58 | 00,233,344 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\cdudf_xp.sys -- (cdudf_xp [System | Running])
[2001/09/24 11:25:38 | 00,017,958 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Dvd_2k.sys -- (dvd_2K [On_Demand | Stopped])
[2001/08/20 11:59:38 | 00,025,472 | ---- | M] (Roxio Inc.) -- C:\WINDOWS\system32\drivers\imapiRox.sys -- (Imapi [System | Running])
[1998/11/27 22:57:18 | 00,006,144 | R--- | M] (Erik Salaj) -- C:\WINDOWS\system32\drivers\IOPORT.SYS -- (IOPort [Auto | Running])
[2001/08/17 13:48:04 | 00,013,952 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\kbdhid.sys -- (kbdhid [System | Stopped])
[2008/10/22 16:10:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy [On_Demand | Stopped])
[2001/09/24 11:25:30 | 00,019,158 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\Mmc_2k.sys -- (mmc_2K [On_Demand | Running])
[2001/08/17 08:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2007/08/23 18:02:20 | 00,063,008 | ---- | M] (Juniper Networks) -- C:\WINDOWS\system32\drivers\NEOFLTR_550_12029.sys -- (NEOFLTR_550_12029 [System | Running])
[2005/02/24 06:32:00 | 03,454,144 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv [On_Demand | Running])
[2007/12/04 16:10:30 | 00,016,640 | R--- | M] (PalmSource, Inc.) -- C:\WINDOWS\system32\drivers\PalmUSBD.sys -- (PalmUSBD [On_Demand | Stopped])
[2006/12/23 04:44:59 | 00,080,768 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\prodrv06.sys -- (prodrv06 [System | Running])
[2006/12/23 04:43:17 | 00,077,120 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\prohlp02.sys -- (prohlp02 [Boot | Running])
[2005/12/21 04:16:58 | 00,007,136 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\prosync1.sys -- (prosync1 [Boot | Running])
[2001/08/23 07:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2001/09/24 11:25:18 | 00,078,486 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\pwd_2K.sys -- (pwd_2K [System | Running])
[2007/10/19 19:56:10 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
[2007/06/17 18:07:38 | 00,011,973 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [Auto | Running])
[2003/12/01 10:20:52 | 00,004,832 | ---- | M] (Protection Technology) -- C:\WINDOWS\system32\drivers\sfhlp01.sys -- (sfhlp01 [Boot | Running])
[2003/07/15 16:00:00 | 00,578,368 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2007/03/01 10:34:36 | 00,028,352 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv [System | Running])
[2001/09/24 11:29:36 | 00,205,824 | ---- | M] (Roxio) -- C:\WINDOWS\System32\drivers\udfreadr_xp.sys -- (UdfReadr_xp [System | Running])
[2003/07/02 04:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1 [Boot | Running])
[2001/10/18 12:00:00 | 00,006,144 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\viaidexp.sys -- (ViaIde [Boot | Running])
[2003/10/31 06:22:38 | 00,077,312 | ---- | M] (VIA Technologies inc,.ltd) -- C:\WINDOWS\system32\drivers\viasraid.sys -- (viasraid [Boot | Running])
[2003/01/10 16:13:04 | 00,033,588 | ---- | M] (America Online, Inc.) -- C:\WINDOWS\system32\drivers\wanatw4.sys -- (wanatw [On_Demand | Stopped])
[2005/09/19 08:41:00 | 00,241,280 | ---- | M] (Marvell) -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp [On_Demand | Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Local Page"=%SystemRoot%\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.comcast.net/

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://www.google.com/ie

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\System32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=about:blank

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 1
"ProxyOverride" = local

========== (O1) Hosts File ==========

HOSTS File = (287985 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 www.1001namen.com
127.0.0.1 1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123haustiereundmehr.com
9926 more lines...

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (HKLM) -- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
{1017A80C-6F09-4548-A84D-EDD6AC9525F0} (HKLM) -- C:\Program Files\Lexmark Toolbar\toolband.dll ()
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- D:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
{AA58ED58-01DD-4d91-8333-CF10577473F7} (HKLM) -- c:\program files\google\googletoolbar2.dll File not found
{CF7C3CF0-4B15-11D1-ABED-709549C10000} (HKLM) -- D:\Program Files\Advanced System Optimizer\IEHelper.dll (Systweak Inc)
{f86aff27-b2b4-4799-a325-95d7f64e9f4b} (HKLM) -- C:\WINDOWS\system32\kofemube.dll (VMware, Inc.)

========== (O3) Toolbars ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (HKLM) -- C:\Program Files\Lexmark Toolbar\toolband.dll ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" (HKLM) -- c:\program files\google\googletoolbar2.dll File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
"{8E718888-423F-11D2-876E-00A0C9082467}" (HKLM) -- C:\WINDOWS\system32\msdxm.ocx ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (HKLM) -- C:\Program Files\Lexmark Toolbar\toolband.dll ()

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"6cfacc67"=rundll32.exe "C:\WINDOWS\System32\venijija.dll",b (Microsoft Corporation)
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" (Roxio)
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min (Avira GmbH)
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s ()
"gutalukidu"=Rundll32.exe "C:\WINDOWS\System32\burolage.dll",s (VMware, Inc.)
"HotSync"="C:\Program Files\PalmSource\Desktop\HotSync.exe" -AllUsers File not found
"lxddamon"="C:\Program Files\Lexmark 2500 Series\lxddamon.exe" ()
"lxddmon.exe"="C:\Program Files\Lexmark 2500 Series\lxddmon.exe" ()
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers (Microsoft® Corporation)
"Microsoft Works Update Detection"=C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe (Microsoft® Corporation)
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup (NVIDIA Corporation)
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
"nwiz"=nwiz.exe /install (NVIDIA Corporation)
"PhotoExplosionCalCheck"=D:\Program Files\calcheck.exe (Ulead Systems, Inc.)
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" (Sun Microsystems, Inc.)
"WorksFUD"=C:\Program Files\Microsoft Works\wkfud.exe (Microsoft® Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Systweak Ad and Popup Blocker"="D:\Program Files\Advanced System Optimizer\adblock.exe" (Systweak Inc)
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (Adobe Systems Incorporated)

========== (O4) Startup Folders ==========

[2005/09/23 21:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2008/01/03 17:28:08 | 01,392,640 | R--- | M] (PalmSource, Inc) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = D:\Program Files\Hotsync.exe
[2001/02/13 01:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
[2001/08/07 18:06:54 | 00,024,633 | ---- | M] (Microsoft® Corporation) -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console -- %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
{669B269B-0D4E-41FB-A3D8-FD67CA94F646}: Button: ComcastHSI -- File not found
{8828075D-D097-4055-AA02-2DBFA9D85E8A}: Button: Support -- File not found
{97809617-3937-4F84-B335-9BB05EF1A8D4}: Button: Help -- File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search & Destroy Configuration -- D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %ProgramFiles%\Java\jre1.6.0_07\bin\npjpi160_07.dll [Sun Java Console] -> [2008/06/10 03:27:02 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.)
CmdMapping\\{669B269B-0D4E-41FB-A3D8-FD67CA94F646} [HKLM] -> [ComcastHSI] -> File not found
CmdMapping\\{8828075D-D097-4055-AA02-2DBFA9D85E8A} [HKLM] -> [Support] -> File not found
CmdMapping\\{97809617-3937-4F84-B335-9BB05EF1A8D4} [HKLM] -> [Help] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> D:\Program Files\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search & Destroy Configuration] -> [2008/09/15 14:25:44 | 01,562,960 | RHS- | M] (Safer Networking Limited)

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
50 domain(s) and sub-domain(s) not assigned to a zone.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
51 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{05D44720-58E3-49E6-BDF6-D00330E511D3}: http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab -- StagingUI Object
{166B1BCA-3F9C-11CF-8075-444553540000}: http://download.macromedia.com/pub/shockwa...director/sw.cab -- Shockwave ActiveX Control
{2B323CD9-50E3-11D3-9466-00A0C9700498}: http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab -- Yahoo! Audio Conferencing
{31E68DE2-5548-4B23-88F0-C51E6A0F695E}: https://support.microsoft.com/OAS/ActiveX/odc.cab -- Microsoft PID Sniffer
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B}: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab -- FilePlanet Download Control Class
{3BB54395-5982-4788-8AF4-B5388FFDD0D8}: http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab -- ZoneBuddy Class
{4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF}: http://zone.msn.com/bingame/rock/default/popcaploader1.cab -- PopCapLoaderCtrl Class
{56336BCB-3D8A-11D6-A00B-0050DA18DE71}: http://software-dl.real.com/064822aaff7a43...ip/RdxIE601.cab -- Reg Error: Key does not exist or could not be opened.
{5736C456-EA94-4AAC-BB08-917ABDD035B3}: http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab -- ZonePAChat Object
{6414512B-B978-451D-A0D8-FCFDF33E833C}: http://update.microsoft.com/windowsupdate/...b?1121397297750 -- WUWebControl Class
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}: http://update.microsoft.com/microsoftupdat...b?1121398020640 -- MUWebControl Class
{74C861A1-D548-4916-BC8A-FDE92EDFF62C}: http://mediaplayer.walmart.com/installer/install.cab -- Reg Error: Key does not exist or could not be opened.
{7D1E9C49-BD6A-11D3-87A8-009027A35D73}: http://chat.yahoo.com/cab/yacsui.cab -- Yahoo! Audio UI1
{7F9B30F1-5129-4F5C-A76C-CE264A6C7D10}: http://infonet.hmc.psu.edu/terminal/Packag...ployrun.eng.cab -- Hummingbird Component Deployment
{809A6301-7B40-4436-A02C-87B8D3D7D9E3}: http://zone.msn.com/bingame/zpagames/zpa_dmno.cab40746.cab -- ZPA_DMNO Object
{8AD9C840-044E-11D1-B3E9-00805F499D93}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{B8BE5E93-A60C-4D26-A2DC-220313175592}: http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab -- ZoneIntro Class
{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA}: http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab -- Java Plug-in 1.5.0_04
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_01
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_02
{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_03
{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_05
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}: http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_07
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://download.macromedia.com/pub/shockwa...ash/swflash.cab -- Shockwave Flash Object
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7}: http://zone.msn.com/bingame/feed/default/SproutLauncher.cab -- SproutLauncherCtrl Class
{DA2AA6CF-5C7A-4B71-BC3B-C771BB369937}: http://zone.msn.com/binframework/v10/StProxy.cab35645.cab -- StadiumProxy Class
{E5F5D008-DD2C-4D32-977D-1A0ADF03058B}: https://access.hersheymed.net/dana-cached/s...perSetupSP1.cab -- JuniperSetupSP1 Control
{ED28050F-D713-43BA-A376-DCC5C35407D5}: https://music.msn.com/client/msnmusax4227.cab -- MsnMusicAx Class

========== (O17) DNS Name Servers ==========

{96F909BB-723E-4F66-8117-9EBCA8BD5238} (Servers: | Description: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=C:\WINDOWS\System32\tepidike.dll,C:\WINDOWS\System32\hafasego.dll
>[2008/09/05 14:08:04 | 00,064,280 | -HS- | M] () -- C:\WINDOWS\system32\tepidike.dll
>File not found -- C:\WINDOWS\System32\hafasego.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
WgaLogon: "DllName" = Reg Error: Value DLLName does not exist or could not be read. -- File not found

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []
[2005/01/14 06:09:45 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AutoUpdate []
[2005/12/06 11:54:44 | 00,000,000 | ---D | M] -- D:\AutoUpdate -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[1 C:\WINDOWS\*.tmp files]
[2008/12/08 07:22:12 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\JP\Desktop\OTViewIt.exe
[2008/12/02 21:08:11 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\JP\Desktop\RSIT.exe
[2008/12/02 21:07:09 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2008/12/02 21:07:08 | 00,000,000 | ---D | C] -- C:\rsit
[2008/12/02 09:14:13 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\JP\My Documents\Collect ltrs Doc.doc
[2008/11/30 20:07:45 | 00,005,763 | ---- | C] () -- C:\Documents and Settings\JP\My Documents\pa pictographs.png
[2008/11/29 22:19:34 | 00,017,136 | ---- | C] () -- C:\WINDOWS\System32\sasnative32.exe
[2008/11/29 22:07:46 | 21,462,26176 | -HS- | C] () -- C:\hiberfil.sys
[2008/11/28 19:49:23 | 00,561,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2008/11/28 19:43:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008/11/28 19:40:24 | 00,000,000 | ---D | C] -- C:\SDFix
[2008/11/28 19:39:17 | 01,529,241 | ---- | C] () -- C:\Documents and Settings\JP\Desktop\SDFix.exe
[2008/11/26 19:24:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\JP\Local Settings\Application Data\Cielosim
[2008/11/23 09:44:03 | 01,583,621 | -HS- | C] () -- C:\WINDOWS\System32\ifabobef.ini
[2008/11/23 08:48:50 | 00,000,000 | ---D | C] -- C:\Documents and Settings\JP\Application Data\Malwarebytes
[2008/11/23 08:48:47 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/23 08:48:47 | 00,000,638 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/23 08:48:44 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/11/23 08:48:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/11/22 09:32:23 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[2008/11/22 09:32:23 | 00,000,793 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008/11/20 19:44:56 | 00,000,000 | ---D | C] -- C:\Documents and Settings\JP\My Documents\New Folder
[2008/11/12 20:40:01 | 00,026,624 | ---- | C] () -- C:\Documents and Settings\JP\My Documents\Deep Selah Lyrics.doc
[2008/11/12 20:25:42 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\JP\My Documents\In The Calm Lyrics.doc
[2008/11/12 18:12:16 | 00,000,000 | ---D | C] -- C:\scenery
[2008/11/12 18:12:16 | 00,000,000 | ---D | C] -- C:\MTA
[2008/11/12 18:12:14 | 00,000,000 | ---D | C] -- C:\Gauges
[2008/11/12 18:12:14 | 00,000,000 | ---D | C] -- C:\Effects
[2008/11/12 18:12:12 | 00,000,000 | ---D | C] -- C:\Modules
[2008/11/12 18:12:12 | 00,000,000 | ---D | C] -- C:\Aircraft
[2008/11/12 18:12:11 | 00,000,387 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\LAGO Male Scenery Manual.lnk
[2008/11/12 18:12:11 | 00,000,000 | ---D | C] -- C:\LAGO
[2008/11/12 18:12:07 | 00,000,196 | ---- | C] () -- C:\WINDOWS\Scenery.CFG
[2008/11/12 17:16:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\JP\My Documents\Flight Simulator Files
[2008/11/12 15:58:02 | 00,000,866 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Flight Simulator 2004.lnk

========== Files - Modified Within 30 Days ==========

[919 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2008/12/08 07:23:03 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\wipenofe
[2008/12/08 07:22:02 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\JP\Desktop\OTViewIt.exe
[2008/12/08 06:52:04 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/08 06:51:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/08 06:51:57 | 21,462,26176 | -HS- | M] () -- C:\hiberfil.sys
[2008/12/07 20:13:22 | 00,093,439 | -HS- | M] () -- C:\WINDOWS\System32\suteniro.dll
[2008/12/07 20:13:22 | 00,088,280 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\venijija.dll
[2008/12/07 08:13:10 | 00,092,825 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\zafufura.dll
[2008/12/07 08:13:10 | 00,087,846 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\parajami.dll
[2008/12/06 19:27:18 | 00,093,399 | -HS- | M] () -- C:\WINDOWS\System32\gohifodi.dll
[2008/12/06 19:27:18 | 00,087,796 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\nijopido.dll
[2008/12/06 07:26:57 | 00,093,930 | -HS- | M] () -- C:\WINDOWS\System32\guvodudi.dll
[2008/12/06 07:26:57 | 00,087,800 | -HS- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\teyasoge.dll
[2008/12/05 14:07:04 | 00,064,280 | -HS- | M] (VMware, Inc.) -- C:\WINDOWS\System32\tunayiri.dll
[2008/12/05 14:07:03 | 00,094,319 | -HS- | M] () -- C:\WINDOWS\System32\yozezuna.dll
[2008/12/05 14:07:03 | 00,088,359 | -HS- | M] (ABBYY (BIT Software)) -- C:\WINDOWS\System32\kebajuvi.dll
[2008/12/04 20:27:29 | 00,094,402 | -HS- | M] () -- C:\WINDOWS\System32\tevaziva.dll
[2008/12/04 20:27:29 | 00,088,348 | -HS- | M] () -- C:\WINDOWS\System32\wosarako.dll
[2008/12/04 17:30:12 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\JP\My Documents\Collect ltrs Doc.doc
[2008/12/04 08:27:15 | 00,094,261 | -HS- | M] () -- C:\WINDOWS\System32\wuyedawa.dll
[2008/12/04 08:27:15 | 00,088,629 | -HS- | M] () -- C:\WINDOWS\System32\pinoteye.dll
[2008/12/04 08:27:15 | 00,066,101 | -HS- | M] () -- C:\WINDOWS\System32\remebeyi.dll
[2008/12/03 19:43:35 | 00,094,773 | -HS- | M] () -- C:\WINDOWS\System32\jajulaze.dll
[2008/12/03 19:43:35 | 00,064,053 | -HS- | M] () -- C:\WINDOWS\System32\yowujeje.dll
[2008/12/03 16:54:14 | 00,000,831 | ---- | M] () -- C:\Documents and Settings\JP\Desktop\Spybot - Search & Destroy.lnk
[2008/12/03 16:53:29 | 00,287,985 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2008/12/03 07:43:32 | 00,094,773 | -HS- | M] () -- C:\WINDOWS\System32\vofehafi.dll
[2008/12/03 07:43:32 | 00,085,557 | -HS- | M] () -- C:\WINDOWS\System32\gerogije.dll
[2008/12/02 21:08:02 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\JP\Desktop\RSIT.exe
[2008/12/02 19:43:11 | 00,064,052 | -HS- | M] () -- C:\WINDOWS\System32\bonipola.dll
[2008/12/02 07:42:47 | 00,064,052 | -HS- | M] () -- C:\WINDOWS\System32\bohotute.dll
[2008/12/02 07:42:46 | 00,093,236 | -HS- | M] () -- C:\WINDOWS\System32\honayoto.dll
[2008/12/01 14:43:56 | 00,093,236 | -HS- | M] () -- C:\WINDOWS\System32\niyihifi.dll
[2008/11/30 21:09:16 | 00,095,284 | -HS- | M] () -- C:\WINDOWS\System32\dinizuha.dll
[2008/11/30 20:07:45 | 00,005,763 | ---- | M] () -- C:\Documents and Settings\JP\My Documents\pa pictographs.png
[2008/11/30 09:09:03 | 00,095,284 | -HS- | M] () -- C:\WINDOWS\System32\podezowu.dll
[2008/11/29 21:22:01 | 00,021,828 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2008/11/29 09:04:32 | 00,472,198 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/11/29 09:04:32 | 00,401,680 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/11/29 09:04:32 | 00,062,576 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/11/29 09:00:11 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20081203-165329.backup
[2008/11/28 19:49:23 | 00,561,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2008/11/28 19:38:11 | 01,529,241 | ---- | M] () -- C:\Documents and Settings\JP\Desktop\SDFix.exe
[2008/11/25 22:54:32 | 00,075,072 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2008/11/24 19:50:37 | 00,000,754 | ---- | M] () -- C:\WINDOWS\WORDPAD.INI
[2008/11/23 16:34:49 | 00,014,998 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2008/11/23 09:44:18 | 01,583,621 | -HS- | M] () -- C:\WINDOWS\System32\ifabobef.ini
[2008/11/23 08:48:47 | 00,000,638 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/11/22 14:21:48 | 25,165,824 | ---- | M] () -- C:\WINDOWS\System32\RO2E83.bac
[2008/11/22 14:21:48 | 05,505,024 | ---- | M] () -- C:\WINDOWS\System32\RO2E88.bac
[2008/11/22 14:21:48 | 01,572,864 | ---- | M] () -- C:\WINDOWS\System32\RO2E8B.bac
[2008/11/22 14:21:48 | 00,712,704 | ---- | M] () -- C:\WINDOWS\System32\RO2E80.bac
[2008/11/22 14:21:48 | 00,524,288 | ---- | M] () -- C:\WINDOWS\System32\RO2E93.bac
[2008/11/22 14:21:48 | 00,499,712 | ---- | M] () -- C:\WINDOWS\System32\RO2E9B.bac
[2008/11/22 14:21:48 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\RO2E90.bac
[2008/11/22 14:21:45 | 06,029,312 | ---- | M] () -- C:\WINDOWS\System32\RO2EA3.bac
[2008/11/22 14:21:45 | 01,572,864 | ---- | M] () -- C:\WINDOWS\System32\RO2EA8.bac
[2008/11/22 14:21:39 | 00,000,004 | ---- | M] () -- C:\WINDOWSRegDefrag.dat
[2008/11/22 09:32:23 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Watch.lnk
[2008/11/22 09:32:23 | 00,000,793 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Ad-Aware.lnk
[2008/11/21 15:58:01 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/11/13 10:32:35 | 02,641,814 | -H-- | M] () -- C:\Documents and Settings\JP\Local Settings\Application Data\IconCache.db
[2008/11/12 20:43:52 | 00,026,624 | ---- | M] () -- C:\Documents and Settings\JP\My Documents\Deep Selah Lyrics.doc
[2008/11/12 20:28:19 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\JP\My Documents\In The Calm Lyrics.doc
[2008/11/12 18:18:02 | 00,001,799 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ActiveSky Graphics.lnk
[2008/11/12 18:18:02 | 00,001,782 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\ASv6 Wx Engine.lnk
[2008/11/12 18:12:12 | 00,000,387 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\LAGO Male Scenery Manual.lnk
[2008/11/12 18:12:07 | 00,000,196 | ---- | M] () -- C:\WINDOWS\Scenery.CFG
[2008/11/12 15:58:02 | 00,000,866 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Microsoft Flight Simulator 2004.lnk
[2008/11/11 10:23:14 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/11/10 19:49:12 | 00,017,136 | ---- | M] () -- C:\WINDOWS\System32\sasnative32.exe
< End of report >


OTViewIt Extras logfile created on: 12/8/2008 7:23:53 AM - Run 2
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\JP\Desktop
Windows XP Professional Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2800.1106)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.60 Gb Available Physical Memory | 79.82% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): E:\pagefile.sys 4000 4000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 10.00 Gb Total Space | 0.55 Gb Free Space | 5.48% Space Free | Partition Type: NTFS
Drive D: | 20.00 Gb Total Space | 15.74 Gb Free Space | 78.72% Space Free | Partition Type: NTFS
Drive E: | 44.53 Gb Total Space | 7.33 Gb Free Space | 16.46% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PRICEJEFF
Current User Name: JP
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- Reg Error: Key does not exist or could not be opened. File not found
.scr [@ = scrfile] -- "%1" /S "%3"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2002/08/29 05:41:26 | 00,091,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000002 [Juniper Secure DNS (Top)] -- C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
NameSpace_Catalog5\Catalog_Entries\000000000005 [Juniper Secure DNS (Bottom)] -- C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)

========== HKEY_CURRENT_USER Protocol Defaults ==========


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults] - Default Protocols
shell -- shell protocol not assigned

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
ipp: [HKLM - No CLSID value]
[2004/01/29 09:08:23 | 01,130,496 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
msdaipp: [HKLM - No CLSID value]
[2004/01/29 09:08:23 | 01,130,496 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAMON.BINDER]
[2004/01/29 09:08:23 | 01,130,496 | ---- | M] (Microsoft Corporation) C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM - MSDAIPP.BINDER]
[2003/09/17 11:01:28 | 00,844,048 | ---- | M] () C:\WINDOWS\system32\msdxm.ocx (vnd.ms.radio:{3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} (HKLM) [AsyncPProt Class])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0F0D371F-C111-4279-963A-04139A5E49DB}"=ActiveSky Version 6.5 and ActiveSky Graphics
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}"=Lexmark Toolbar
"{164360E5-0AAD-48AD-8A36-3F8A859FAB6F}"=PMDG747_400F
"{18D10072035C4515918F7E37EAFAACFC}"=AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}"=Google Earth
"{1EC65D1D-3911-4F7D-8B6A-63C69EDBFC6E}"=EditVoicepack
"{20A96613-3802-436C-842E-653C62FABA0D}"=aerosoft's - AES-Base&&AirportPack - FS2004
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}"=Google Toolbar for Internet Explorer
"{2758F387-D016-4725-9D03-AB039364DF3D}"=PMDG_747-400_Sound_Update
"{2E36241A-2B2F-4E61-A54C-99FBDE132F9F}"=AFX
"{304DAE83-906F-4005-BA09-2870349ABD14}"=PMDG 747-400 FS9 Update V1R12 (Unifies to FSX)
"{30BEB3F9-F159-4EA4-8DA4-324FC898192E}"=Abacus EZ-Scenery V1.03
"{3248F0A8-6813-11D6-A77B-00B0D0150040}"=J2SE Runtime Environment 5.0 Update 4
"{3248F0A8-6813-11D6-A77B-00B0D0160010}"=Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}"=Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}"=Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}"=Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}"=Java™ 6 Update 7
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{3714F716-A28B-4D8A-AD99-0E0DDB2EE8BE}"=AI Traffic Mover
"{3EE09884-34CC-46EA-B316-5ECB0427E4C7}"=FS Recorder 1.32 for FS2004
"{43CD1C3B-A3FB-4773-8D92-66FE4B2F8C88}"=Flight Simulator 2004 Traffic Toolbox SDK
"{53F5A5FF-D9A6-4CE7-8FAC-74535E61AD62}"=GaugeExplorer
"{5635FCDA-2B86-400F-BF23-784AB09B590F}"=ActiveSky2004
"{609F7AC8-C510-11D4-A788-009027ABA5D0}"=Easy CD Creator 5 Basic
"{6A136B9A-1895-436F-83F8-30D9C68BB6EA}"=Rhapsody Player Engine
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}"=MSXML 4.0 SP2 Parser and SDK
"{7B63B2922B174135AFC0E1377DD81EC2}"=DivX Codec
"{7FE8082A-F9B5-4A3A-A0F0-7F1BE365FD3D}"=LAGO MilitaryCopters
"{81EBC018-1607-4FDC-86DA-E974FEB0C638}"=Shoot
"{8ADFC4160D694100B5B8A22DE9DCABD9}"=DivX Player
"{90AF0409-6000-11D3-8CFE-0150048383C9}"=Microsoft Office PowerPoint Viewer 2003
"{911B0409-6000-11D3-8CFE-0050048383C9}"=Microsoft Word 2002
"{97679567-0095-464E-B5F2-E218A1CF3421}"=PMDG747_400 Queen of the Skies
"{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}"=Microsoft Works 6.0
"{AC76BA86-7AD7-1033-7B44-A70900000002}"=Adobe Reader 7.0.9
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}"=ABBYY FineReader 6.0 Sprint
"{B13A7C41581B411290FBC0395694E2A9}"=DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{B43357AA-3A6D-4D94-B56E-43C44D09E548}"=Microsoft .NET Framework (English)
"{B7050CBDB2504B34BC2A9CA0A692CC29}"=DivX Web Player
"{B8CC0D86-A562-4C11-9523-4CB6C3E1F033}"=Abacus Flight Deck 4
"{BD3DCAB0-3FE5-44FB-90DA-EFB0A2CD1387}"=Works Synchronization
"{C0A6901F-C919-47A3-A4D9-E2056314086B}"=aerosoft's - London Heathrow 2008
"{C3A439E4-7303-491F-A678-CEA36A87D517}"=Microsoft Works Suite Add-in for Microsoft Word
"{C778BD4F-0DEA-4D39-B7C1-992E1BFFD351}"=Photo Explosion 3.0 Special Edition
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}"=Marvell Miniport Driver
"{C95DE258-C004-451E-BB2B-64C1D273E4CC}"=LAGO Male Scenery 1.00
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}"=Microsoft .NET Framework 1.1
"{D0E5A0A5-9C8C-4389-893E-B9ED05AE98E0}"=aerosoft's - Manhattan - FS2004
"{D4E22434-1BCE-4C91-A1E4-FC352DFD4B3B}"=aerosoft's - Mega Airport Frankfurt - FS2004
"{DC19E750-988B-4005-A355-85EF66055EFE}"=Works Suite OS Pack
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}"=Ad-Aware
"{E5C099C3-624E-4BF2-B1D9-D63245091216}"=SnapShooter 2.21
"{ED654F5D-5DC9-46EA-9D10-621231527F98}"=FS9 Configurator
"{F0A37341-D692-11D4-A984-009027EC0A9C}"=SoundMAX
"{FD6034A3-655C-49F0-B496-D4CBFD74D7A7}"=Palm Desktop by ACCESS
"421CGoldenEagle12"=Flight 1 Software Cessna 441 - Conquest II 1.0
"A346 Livery Pack"=A346 Livery Pack
"Active Camera 2004 2.1 for FS 2004 (updated to 9.1)"=Active Camera 2004 2.1 for FS 2004 (updated to 9.1)
"Ad-aware 6 Personal"=Ad-aware 6 Personal
"Adobe Flash Player Plugin"=Adobe Flash Player Plugin
"Adobe Shockwave Player"=Adobe Shockwave Player
"afx"=AFX
"AirWrench"=NSIS AirWrench
"AnalogX MaxMem"=AnalogX MaxMem
"AntiVir PersonalEdition Classic"=Avira AntiVir Personal - Free Antivirus
"ARINC"=ARINC
"AtlanticSunACARS V2.0.1"=AtlanticSunACARS V2.0.1
"Audacity_is1"=Audacity 1.2.6
"B752CAPTAIN"=Block B - Model + VC
"Captain Sim v1.5 update/reinstall fix"=Captain Sim v1.5 update/reinstall fix
"End It All"=End It All
"F-117A "NightHawk" "=F-117A "NightHawk"
"Flight Simulator 9.0"=Microsoft Flight Simulator 2004 A Century of Flight
"FlightZone 02: Portland"=FlightZone 02: Portland
"Fraps"=Fraps (remove only)
"FS Repaint"=FS Repaint
"FS_Real_Time"=FS Real Time v1.79
"FS2Crew: PMDG 747 Edition (FS9/Non F1)"=FS2Crew: PMDG 747 Edition (FS9/Non F1)
"FS2Crew: PMDG 747 Edition Update 1.2"=FS2Crew: PMDG 747 Edition Update 1.2
"FSD Porter for FS 2004"=FSD Porter\FS 2004
"FSDreamTeam Ohare9_is1"=FSDreamTeam Ohare9 1.1
"FSDreamTeam Zurich9_is1"=FSDreamTeam Zurich9 1.3
"FSGenesis The Rockies 38m Terrain"=FSGenesis The Rockies 38m Terrain
"FSWater_10"=FS Water
"Ground Environment"=Ground Environment
"HCDT.HostExplorer Web Deployment"=HostExplorer (Web Deployed)
"HCDT.Hummingbird Component Deployment"=Hummingbird Component Deployment
"HijackThis"=HijackThis 2.0.2
"kazaalite202_is1"=Kazaa Lite K++ v2.4.3
"Legacy of the Sky: Supermarine Spitfire V"=Legacy of the Sky: Supermarine Spitfire V
"Legendary 707"=Legendary 707
"Legendary 727 Pro v13 sp5 - RiXSTER"=Legendary 727 Pro v13 sp5 - RiXSTER
"LEGENDARYC130"=Legendary C-130
"LEGENDARYW130"=AC-130E Expansion Model
"Lexmark 2500 Series"=Lexmark 2500 Series
"Lexmark Fax Solutions"=Lexmark Fax Solutions
"LimeWire"=LimeWire 4.18.3
"MAAM-SIM TBF/TBM AVENGER for FS2004"=MAAM-SIM TBF/TBM AVENGER for FS2004
"Malta Intl. Airport V1.0"=Malta Intl. Airport V1.0
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)"=Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Microsoft .NET Framework Full v1.0.3705 (1033)"=Microsoft .NET Framework (English) v1.0.3705
"Mozilla Firefox (3.0.4)"=Mozilla Firefox (3.0.4)
"MyWorld2004 LandClass 2005"=MyWorld2004 LandClass 2005
"Neoteris_Secure_Application_Manager"=Juniper Networks Secure Application Manager
"NVIDIA Drivers"=NVIDIA Drivers
"pc12_1"=Flight One Software Pilatus PC-12
"PS Panels 737NG Panel System_is1"=PS Panels 737NG Version 1.1
"PSS Dash 8 300 Professional (RiXSTER)"=PSS Dash 8 300 Professional (RiXSTER)
"Q828026"=Windows Media Player Hotfix [See Q828026 for more information]
"QuickTime"=QuickTime
"RealPlayer 6.0"=RealPlayer
"Repaint Package"=Repaint Package
"Shanghai Today 2004"=Shanghai Today 2004
"ShockwaveFlash"=Adobe Flash Player 9 ActiveX
"Smith Designs KATl 1.5"=Smith Designs KATl 1.5
"Smith Graphics Albany Intl. AFCAD"=Smith Graphics Albany Intl. AFCAD
"Spybot - Search & Destroy_is1"=Spybot - Search & Destroy 1.5.2.20
"SR71 Stealth"=SR71 Stealth
"TexoMatic_Unique"=Flight One Text-o-Matic
"TGP's Scenery Package 1 for Euro Link VA"=TGP's Scenery Package 1 for Euro Link VA
"The Very Singapore"=The Very Singapore
"UniC152Ver10"=Cessna 152
"Verizon Online DSL_is1"=Verizon Online DSL
"ViewpointMediaPlayer"=Viewpoint Media Player
"WebPost"=Microsoft Web Publishing Wizard 1.52
"WGA"=Windows Genuine Advantage Validation Tool
"WinAce Archiver"=WinAce Archiver
"Windows Media Format Runtime"=Windows Media Format Runtime
"Windows Media Player"=Windows Media Player 10
"Wings of Power: B17 Flying Fortress"=Wings of Power: B17 Flying Fortress
"WinGTK-2_is1"=GTK+ 2.6.8-1 runtime environment
"WinZip"=WinZip
"Works2002Setup"=Microsoft Works 2002 Setup Launcher

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"5b954f6f7a1d5673"=Wee Tune Beastie
"Juniper_Networks_Cache_Cleaner 5.5.0"=Juniper Networks Cache Cleaner 5.5.0
"Neoteris_Host_Checker"=Juniper Networks Host Checker
"uTorrent"=µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/5/2008 3:41:45 PM | Computer Name = PRICEJEFF | Source = Application Error | ID = 1000
Description = Faulting application firefox.exe, version 1.9.0.3224, faulting module
, version 0.0.0.0, fault address 0x00000000.

Error - 12/5/2008 6:11:42 PM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/5/2008 11:13:03 PM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/7/2008 9:45:40 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/7/2008 9:46:29 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/7/2008 9:47:49 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/7/2008 9:50:41 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/7/2008 9:52:04 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/7/2008 10:47:07 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/8/2008 8:23:21 AM | Computer Name = PRICEJEFF | Source = Application Hang | ID = 1002
Description = Hanging application OTViewIt.exe, version 1.0.20.1, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 12/6/2008 8:22:21 PM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 12/6/2008 8:23:05 PM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7022
Description = The Windows Image Acquisition (WIA) service hung on starting.

Error - 12/7/2008 12:10:35 AM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 12/7/2008 12:11:22 AM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7022
Description = The Windows Image Acquisition (WIA) service hung on starting.

Error - 12/7/2008 9:13:40 AM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 12/7/2008 9:14:25 AM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7022
Description = The Windows Image Acquisition (WIA) service hung on starting.

Error - 12/7/2008 7:07:25 PM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 12/7/2008 7:08:07 PM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7022
Description = The Windows Image Acquisition (WIA) service hung on starting.

Error - 12/8/2008 7:53:07 AM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 12/8/2008 7:53:44 AM | Computer Name = PRICEJEFF | Source = Service Control Manager | ID = 7022
Description = The Windows Image Acquisition (WIA) service hung on starting.


< End of report >

#5 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 08 December 2008 - 08:08 AM

attached is the GMER's report....I kept getting an error telling me the post was too long.



Thanks again...Jeff

Attached Files



#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 08 December 2008 - 09:43 PM

Hello :thumbsup:

We need to run ComboFix

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 09 December 2008 - 12:26 PM

Hello Bill...please find the Combofix log...also of note, since running combofix, Firefox doesn't like this site. Is that something that will usually happen? Thanks again, Jeff


* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_004030_.tmp.dll
c:\windows\system32\_004031_.tmp.dll
c:\windows\system32\_004032_.tmp.dll
c:\windows\system32\_004033_.tmp.dll
c:\windows\system32\_004040_.tmp.dll
c:\windows\system32\_004041_.tmp.dll
c:\windows\system32\_004042_.tmp.dll
c:\windows\system32\_004044_.tmp.dll
c:\windows\system32\_004045_.tmp.dll
c:\windows\system32\_004048_.tmp.dll
c:\windows\system32\_004049_.tmp.dll
c:\windows\system32\_004051_.tmp.dll
c:\windows\system32\_004052_.tmp.dll
c:\windows\system32\_004053_.tmp.dll
c:\windows\system32\_004055_.tmp.dll
c:\windows\system32\_004056_.tmp.dll
c:\windows\system32\_004058_.tmp.dll
c:\windows\system32\_004062_.tmp.dll
c:\windows\system32\_004063_.tmp.dll
c:\windows\system32\_004065_.tmp.dll
c:\windows\system32\_004068_.tmp.dll
c:\windows\system32\_004070_.tmp.dll
c:\windows\system32\_004071_.tmp.dll
c:\windows\system32\_004072_.tmp.dll
c:\windows\system32\_004073_.tmp.dll
c:\windows\system32\_004076_.tmp.dll
c:\windows\system32\_004078_.tmp.dll
c:\windows\system32\_004079_.tmp.dll
c:\windows\system32\_004080_.tmp.dll
c:\windows\system32\_004084_.tmp.dll
c:\windows\system32\_004085_.tmp.dll
c:\windows\system32\_004086_.tmp.dll
c:\windows\system32\_004088_.tmp.dll
c:\windows\system32\_004089_.tmp.dll
c:\windows\system32\_004091_.tmp.dll
c:\windows\system32\_004092_.tmp.dll
c:\windows\system32\_004093_.tmp.dll
c:\windows\system32\_004095_.tmp.dll
c:\windows\system32\_004096_.tmp.dll
c:\windows\system32\_004098_.tmp.dll
c:\windows\system32\_004102_.tmp.dll
c:\windows\system32\_004103_.tmp.dll
c:\windows\system32\_004105_.tmp.dll
c:\windows\system32\_004108_.tmp.dll
c:\windows\system32\_004110_.tmp.dll
c:\windows\system32\_004111_.tmp.dll
c:\windows\system32\_004112_.tmp.dll
c:\windows\system32\_004113_.tmp.dll
c:\windows\system32\_004116_.tmp.dll
c:\windows\system32\_004118_.tmp.dll
c:\windows\system32\_004119_.tmp.dll
c:\windows\system32\_004120_.tmp.dll
c:\windows\system32\_004124_.tmp.dll
c:\windows\system32\_004126_.tmp.dll
c:\windows\system32\_007336_.tmp.dll
c:\windows\system32\_007346_.tmp.dll
c:\windows\system32\_007348_.tmp.dll
c:\windows\system32\_007351_.tmp.dll
c:\windows\system32\_007355_.tmp.dll
c:\windows\system32\_007358_.tmp.dll
c:\windows\system32\_007361_.tmp.dll
c:\windows\system32\_007364_.tmp.dll
c:\windows\system32\_007372_.tmp.dll
c:\windows\system32\_007378_.tmp.dll
c:\windows\system32\_007385_.tmp.dll
c:\windows\system32\_007396_.tmp.dll
c:\windows\system32\bohotute.dll
c:\windows\system32\bonipola.dll
c:\windows\system32\damorume.dll
c:\windows\system32\dinizuha.dll
c:\windows\system32\donojawi.dll
c:\windows\system32\gadufugi.dll
c:\windows\system32\gerogije.dll
c:\windows\system32\gohifodi.dll
c:\windows\system32\guvodudi.dll
c:\windows\system32\honayoto.dll
c:\windows\system32\hulayoba.dll
c:\windows\system32\ifabobef.ini
c:\windows\system32\jajulaze.dll
c:\windows\system32\kebajuvi.dll
c:\windows\system32\mivohilu.dll
c:\windows\system32\nijopido.dll
c:\windows\system32\niyihifi.dll
c:\windows\system32\nugebini.dll
c:\windows\system32\parajami.dll
c:\windows\system32\pefuwiwi.dll
c:\windows\system32\pinoteye.dll
c:\windows\system32\pitigema.dll
c:\windows\system32\podezowu.dll
c:\windows\system32\pofadoki.dll
c:\windows\system32\remebeyi.dll
c:\windows\system32\suteniro.dll
c:\windows\system32\tevaziva.dll
c:\windows\system32\teyasoge.dll
c:\windows\System32\tugekevo.dll
c:\windows\system32\tunayiri.dll
c:\windows\system32\venijija.dll
c:\windows\system32\viliwesi.dll
c:\windows\system32\vofehafi.dll
c:\windows\system32\waremilo.dll
c:\windows\system32\wosarako.dll
c:\windows\system32\wuyedawa.dll
c:\windows\system32\yefanopa.dll
c:\windows\system32\yezimuya.dll
c:\windows\system32\yowujeje.dll
c:\windows\system32\yozezuna.dll
c:\windows\system32\zafufura.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 12:15 . 2008-12-09 12:16 <DIR> d-------- c:\windows\LastGood
2008-12-08 07:26 . 2008-12-08 07:34 250 --a------ c:\windows\gmer.ini
2008-12-02 21:07 . 2008-12-02 21:07 <DIR> d-------- C:\rsit
2008-12-02 21:07 . 2008-12-02 22:56 <DIR> d-------- c:\program files\trend micro
2008-11-29 22:19 . 2008-11-10 19:49 17,136 --a------ c:\windows\system32\sasnative32.exe
2008-11-28 19:49 . 2008-11-28 19:49 561,152 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-28 19:43 . 2008-11-28 19:43 <DIR> d-------- c:\windows\ERUNT
2008-11-28 19:40 . 2008-11-29 21:48 <DIR> d-------- C:\SDFix
2008-11-23 08:48 . 2008-11-23 08:48 <DIR> d-------- c:\documents and settings\JP\Application Data\Malwarebytes
2008-11-23 08:48 . 2008-11-23 08:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 08:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 08:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 14:09 . 2008-11-22 14:09 36,864 --a------ c:\windows\system32\RO2E7B.tmp
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\scenery
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\MTA
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Modules
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\LAGO
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Gauges
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Effects
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Aircraft
2008-11-12 18:12 . 2008-11-12 18:12 196 --a------ c:\windows\Scenery.CFG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 21:46 --------- d-----w c:\program files\Lx_cats
2008-11-26 20:15 --------- d-----w c:\documents and settings\JP\Application Data\LimeWire
2008-11-26 20:14 --------- d-----w c:\documents and settings\JP\Application Data\uTorrent
2008-11-23 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 19:21 4 -c--a-w C:\WINDOWSRegDefrag.dat
2008-11-22 14:33 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 14:32 --------- d-----w c:\program files\Lavasoft
2008-11-22 14:31 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 23:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-23 19:49 737,280 ----a-w c:\windows\iun6002.exe
2008-09-30 16:58 77,392 ----a-w c:\documents and settings\JP\Application Data\GDIPFONTCACHEV1.DAT
2008-08-27 13:17 61,224 ----a-w c:\documents and settings\JP\GoToAssistDownloadHelper.exe
2005-03-05 15:16 90 --sh--w c:\windows\cnerolf.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Systweak Ad and Popup Blocker"="d:\program files\Advanced System Optimizer\adblock.exe" [2004-05-09 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-13 98304]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-27 659456]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-02-24 5537792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-02-24 86016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
"PhotoExplosionCalCheck"="d:\program files\calcheck.exe" [2006-09-20 69632]
"nwiz"="nwiz.exe" [2005-02-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HotSync Manager.lnk - d:\program files\Hotsync.exe [2008-01-03 1392640]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

R0 avgntmgr;avgntmgr;c:\windows\System32\DRIVERS\avgntmgr.sys [2008-02-06 22336]
R0 viasraid;viasraid;c:\windows\System32\drivers\viasraid.sys [2003-12-12 77312]
R1 avgntdd;avgntdd;c:\windows\System32\DRIVERS\avgntdd.sys [2008-02-06 45376]
R1 NEOFLTR_550_12029;Juniper Networks TDI Filter Driver (NEOFLTR_550_12029);\??\c:\windows\System32\Drivers\NEOFLTR_550_12029.SYS [2007-08-23 63008]
R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 lxdd_device;lxdd_device;c:\windows\System32\lxddcoms.exe -service []
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2008-09-15 99248]
S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\System32\drivers\mbamswissarmy.sys [2008-11-23 38496]
S3 samhid;samhid;c:\windows\System32\drivers\samhid.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"%ProgramFiles%\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"%ProgramFiles%\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -

BHO-{f86aff27-b2b4-4799-a325-95d7f64e9f4b} - c:\windows\System32\pitigema.dll
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = localhost:2323
uInternet Settings,ProxyOverride = local

c:\windows\Downloaded Program Files\hcdt.bmp - c:\windows\Downloaded Program Files\DeployPkg.eng.nls
c:\windows\Downloaded Program Files\DeployPkg.dll
c:\windows\Downloaded Program Files\DeployRun.eng.nls
c:\windows\Downloaded Program Files\DeployRun.dll
O16 -: {7F9B30F1-5129-4F5C-A76C-CE264A6C7D10}
hxxp://infonet.hmc.psu.edu/terminal/Packages/deployrun.eng.cab
c:\windows\Downloaded Program Files\DeployRun.inf
FireFox -: Profile - c:\documents and settings\JP\Application Data\Mozilla\Firefox\Profiles\hhc4fy4b.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1231307&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Real\Netscape6\nppl3260.dll
FF -: plugin - c:\program files\Real\Netscape6\nprjplug.dll
FF -: plugin - c:\program files\Real\Netscape6\nprpjplug.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - d:\progra~1\PACKAG~1\NPInstal.dll
FF -: plugin - d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - d:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 12:16:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe
c:\windows\system32\lxddcoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-09 12:19:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 17:18:51

Pre-Run: 409,018,368 bytes free
Post-Run: 303,898,624 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

285 --- E O F --- 2008-10-18 01:00:39

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 09 December 2008 - 05:33 PM

Hello :thumbsup:

That report has been cut off on top. Please post the full log (including headers).

Firefox doesn't like this site. Is that something that will usually happen?


Can you explain what you mean by this?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 09 December 2008 - 06:24 PM

Sorry Bill...Here you go...

ComboFix 08-12-07.04 - JP 2008-12-09 12:10:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1692 [GMT -5:00]
Running from: c:\documents and settings\JP\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\_004030_.tmp.dll
c:\windows\system32\_004031_.tmp.dll
c:\windows\system32\_004032_.tmp.dll
c:\windows\system32\_004033_.tmp.dll
c:\windows\system32\_004040_.tmp.dll
c:\windows\system32\_004041_.tmp.dll
c:\windows\system32\_004042_.tmp.dll
c:\windows\system32\_004044_.tmp.dll
c:\windows\system32\_004045_.tmp.dll
c:\windows\system32\_004048_.tmp.dll
c:\windows\system32\_004049_.tmp.dll
c:\windows\system32\_004051_.tmp.dll
c:\windows\system32\_004052_.tmp.dll
c:\windows\system32\_004053_.tmp.dll
c:\windows\system32\_004055_.tmp.dll
c:\windows\system32\_004056_.tmp.dll
c:\windows\system32\_004058_.tmp.dll
c:\windows\system32\_004062_.tmp.dll
c:\windows\system32\_004063_.tmp.dll
c:\windows\system32\_004065_.tmp.dll
c:\windows\system32\_004068_.tmp.dll
c:\windows\system32\_004070_.tmp.dll
c:\windows\system32\_004071_.tmp.dll
c:\windows\system32\_004072_.tmp.dll
c:\windows\system32\_004073_.tmp.dll
c:\windows\system32\_004076_.tmp.dll
c:\windows\system32\_004078_.tmp.dll
c:\windows\system32\_004079_.tmp.dll
c:\windows\system32\_004080_.tmp.dll
c:\windows\system32\_004084_.tmp.dll
c:\windows\system32\_004085_.tmp.dll
c:\windows\system32\_004086_.tmp.dll
c:\windows\system32\_004088_.tmp.dll
c:\windows\system32\_004089_.tmp.dll
c:\windows\system32\_004091_.tmp.dll
c:\windows\system32\_004092_.tmp.dll
c:\windows\system32\_004093_.tmp.dll
c:\windows\system32\_004095_.tmp.dll
c:\windows\system32\_004096_.tmp.dll
c:\windows\system32\_004098_.tmp.dll
c:\windows\system32\_004102_.tmp.dll
c:\windows\system32\_004103_.tmp.dll
c:\windows\system32\_004105_.tmp.dll
c:\windows\system32\_004108_.tmp.dll
c:\windows\system32\_004110_.tmp.dll
c:\windows\system32\_004111_.tmp.dll
c:\windows\system32\_004112_.tmp.dll
c:\windows\system32\_004113_.tmp.dll
c:\windows\system32\_004116_.tmp.dll
c:\windows\system32\_004118_.tmp.dll
c:\windows\system32\_004119_.tmp.dll
c:\windows\system32\_004120_.tmp.dll
c:\windows\system32\_004124_.tmp.dll
c:\windows\system32\_004126_.tmp.dll
c:\windows\system32\_007336_.tmp.dll
c:\windows\system32\_007346_.tmp.dll
c:\windows\system32\_007348_.tmp.dll
c:\windows\system32\_007351_.tmp.dll
c:\windows\system32\_007355_.tmp.dll
c:\windows\system32\_007358_.tmp.dll
c:\windows\system32\_007361_.tmp.dll
c:\windows\system32\_007364_.tmp.dll
c:\windows\system32\_007372_.tmp.dll
c:\windows\system32\_007378_.tmp.dll
c:\windows\system32\_007385_.tmp.dll
c:\windows\system32\_007396_.tmp.dll
c:\windows\system32\bohotute.dll
c:\windows\system32\bonipola.dll
c:\windows\system32\damorume.dll
c:\windows\system32\dinizuha.dll
c:\windows\system32\donojawi.dll
c:\windows\system32\gadufugi.dll
c:\windows\system32\gerogije.dll
c:\windows\system32\gohifodi.dll
c:\windows\system32\guvodudi.dll
c:\windows\system32\honayoto.dll
c:\windows\system32\hulayoba.dll
c:\windows\system32\ifabobef.ini
c:\windows\system32\jajulaze.dll
c:\windows\system32\kebajuvi.dll
c:\windows\system32\mivohilu.dll
c:\windows\system32\nijopido.dll
c:\windows\system32\niyihifi.dll
c:\windows\system32\nugebini.dll
c:\windows\system32\parajami.dll
c:\windows\system32\pefuwiwi.dll
c:\windows\system32\pinoteye.dll
c:\windows\system32\pitigema.dll
c:\windows\system32\podezowu.dll
c:\windows\system32\pofadoki.dll
c:\windows\system32\remebeyi.dll
c:\windows\system32\suteniro.dll
c:\windows\system32\tevaziva.dll
c:\windows\system32\teyasoge.dll
c:\windows\System32\tugekevo.dll
c:\windows\system32\tunayiri.dll
c:\windows\system32\venijija.dll
c:\windows\system32\viliwesi.dll
c:\windows\system32\vofehafi.dll
c:\windows\system32\waremilo.dll
c:\windows\system32\wosarako.dll
c:\windows\system32\wuyedawa.dll
c:\windows\system32\yefanopa.dll
c:\windows\system32\yezimuya.dll
c:\windows\system32\yowujeje.dll
c:\windows\system32\yozezuna.dll
c:\windows\system32\zafufura.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32


((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-09 12:15 . 2008-12-09 12:16 <DIR> d-------- c:\windows\LastGood
2008-12-08 07:26 . 2008-12-08 07:34 250 --a------ c:\windows\gmer.ini
2008-12-02 21:07 . 2008-12-02 21:07 <DIR> d-------- C:\rsit
2008-12-02 21:07 . 2008-12-02 22:56 <DIR> d-------- c:\program files\trend micro
2008-11-29 22:19 . 2008-11-10 19:49 17,136 --a------ c:\windows\system32\sasnative32.exe
2008-11-28 19:49 . 2008-11-28 19:49 561,152 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-11-28 19:43 . 2008-11-28 19:43 <DIR> d-------- c:\windows\ERUNT
2008-11-28 19:40 . 2008-11-29 21:48 <DIR> d-------- C:\SDFix
2008-11-23 08:48 . 2008-11-23 08:48 <DIR> d-------- c:\documents and settings\JP\Application Data\Malwarebytes
2008-11-23 08:48 . 2008-11-23 08:48 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-23 08:48 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-23 08:48 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-22 14:09 . 2008-11-22 14:09 36,864 --a------ c:\windows\system32\RO2E7B.tmp
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\scenery
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\MTA
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Modules
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\LAGO
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Gauges
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Effects
2008-11-12 18:12 . 2008-11-12 18:12 <DIR> d-------- C:\Aircraft
2008-11-12 18:12 . 2008-11-12 18:12 196 --a------ c:\windows\Scenery.CFG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-08 21:46 --------- d-----w c:\program files\Lx_cats
2008-11-26 20:15 --------- d-----w c:\documents and settings\JP\Application Data\LimeWire
2008-11-26 20:14 --------- d-----w c:\documents and settings\JP\Application Data\uTorrent
2008-11-23 13:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-22 19:21 4 -c--a-w C:\WINDOWSRegDefrag.dat
2008-11-22 14:33 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-22 14:32 --------- d-----w c:\program files\Lavasoft
2008-11-22 14:31 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-11-12 23:12 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-23 19:49 737,280 ----a-w c:\windows\iun6002.exe
2008-09-30 16:58 77,392 ----a-w c:\documents and settings\JP\Application Data\GDIPFONTCACHEV1.DAT
2008-08-27 13:17 61,224 ----a-w c:\documents and settings\JP\GoToAssistDownloadHelper.exe
2005-03-05 15:16 90 --sh--w c:\windows\cnerolf.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\System32\ctfmon.exe" [2002-08-29 13312]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Systweak Ad and Popup Blocker"="d:\program files\Advanced System Optimizer\adblock.exe" [2004-05-09 409600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-01-13 98304]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-16 28738]
"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-05 24576]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-09-27 659456]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-02-24 5537792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-02-24 86016]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-17 266497]
"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-11 291760]
"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 312240]
"PhotoExplosionCalCheck"="d:\program files\calcheck.exe" [2006-09-20 69632]
"nwiz"="nwiz.exe" [2005-02-24 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
HotSync Manager.lnk - d:\program files\Hotsync.exe [2008-01-03 1392640]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

R0 avgntmgr;avgntmgr;c:\windows\System32\DRIVERS\avgntmgr.sys [2008-02-06 22336]
R0 viasraid;viasraid;c:\windows\System32\drivers\viasraid.sys [2003-12-12 77312]
R1 avgntdd;avgntdd;c:\windows\System32\DRIVERS\avgntdd.sys [2008-02-06 45376]
R1 NEOFLTR_550_12029;Juniper Networks TDI Filter Driver (NEOFLTR_550_12029);\??\c:\windows\System32\Drivers\NEOFLTR_550_12029.SYS [2007-08-23 63008]
R2 IOPort;IOPort;\??\c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
R2 lxdd_device;lxdd_device;c:\windows\System32\lxddcoms.exe -service []
R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2008-09-15 99248]
S3 iscFlash;iscFlash;\??\c:\windows\SYSTEM32\DRIVERS\iscflash.sys []
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\System32\drivers\mbamswissarmy.sys [2008-11-23 38496]
S3 samhid;samhid;c:\windows\System32\drivers\samhid.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"%ProgramFiles%\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"%ProgramFiles%\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
.
- - - - ORPHANS REMOVED - - - -

BHO-{f86aff27-b2b4-4799-a325-95d7f64e9f4b} - c:\windows\System32\pitigema.dll
HKLM-Run-HotSync - c:\program files\PalmSource\Desktop\HotSync.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = localhost:2323
uInternet Settings,ProxyOverride = local

c:\windows\Downloaded Program Files\hcdt.bmp - c:\windows\Downloaded Program Files\DeployPkg.eng.nls
c:\windows\Downloaded Program Files\DeployPkg.dll
c:\windows\Downloaded Program Files\DeployRun.eng.nls
c:\windows\Downloaded Program Files\DeployRun.dll
O16 -: {7F9B30F1-5129-4F5C-A76C-CE264A6C7D10}
hxxp://infonet.hmc.psu.edu/terminal/Packages/deployrun.eng.cab
c:\windows\Downloaded Program Files\DeployRun.inf
FireFox -: Profile - c:\documents and settings\JP\Application Data\Mozilla\Firefox\Profiles\hhc4fy4b.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1231307&SearchSource=3&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
FF -: plugin - c:\program files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\Real\Netscape6\nppl3260.dll
FF -: plugin - c:\program files\Real\Netscape6\nprjplug.dll
FF -: plugin - c:\program files\Real\Netscape6\nprpjplug.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - d:\progra~1\PACKAG~1\NPInstal.dll
FF -: plugin - d:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll
FF -: plugin - d:\program files\DivX\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 12:16:39
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\windows\system32\ODBC32.dll

- - - - - - - > 'lsass.exe'(744)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe
c:\windows\system32\lxddcoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-09 12:19:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-09 17:18:51

Pre-Run: 409,018,368 bytes free
Post-Run: 303,898,624 bytes free

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

285 --- E O F --- 2008-10-18 01:00:39


Im not sure..it seems to be okay now...At first when I went to copy the log it was very slow in loading and timed out. Maybe it was my ISP.. but it worked okay with other sites. Again it seems to be okay now. so now worries.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 09 December 2008 - 09:37 PM

Hello, djay72
Viewpoint is considered foistware instead of malware because it is installed without users approval, but doesn't spy or do anything "bad". You may like to read this article about the potential of this Viewpoint software here:
http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on Start > Run... > and then paste the following into the "Open" field: "appwiz.cpl" and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, and/or Viewpoint Media Player.

I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 December 2008 - 06:19 PM

Hi Bill...Please call me Jeff....anyway...The browser problem was just a glitch...as far as running "appwiz.cpl" when I go to run and paste this in I get an error telling me that RunDll32 is missing or corrupt. So that was a no go. As far as ESET goes it went off with out a hitch..and here is the log.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3682 (20081210)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ca6075b0f284ef4abae3e3803a448955
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-12-10 11:12:17
# local_time=2008-12-10 06:12:17 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 1
# scanned=471812
# found=6
# scan_time=4305
C:\Qoobox\Quarantine\C\WINDOWS\system32\damorume.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\gerogije.dll.vir Win32/Adware.Agent.NKC application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\honayoto.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\niyihifi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\viliwesi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wosarako.dll.vir Win32/Adware.Agent.NKG application (unable to clean - deleted) 00000000000000000000000000000000

#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 10 December 2008 - 08:45 PM

Hello, Jeff

Hi Bill...Please call me Jeff....anyway...The browser problem was just a glitch...as far as running "appwiz.cpl" when I go to run and paste this in I get an error telling me that RunDll32 is missing or corrupt

I'm sorry.. those instructions are for XP not Vista. :)

Instead of Appwiz.cpl, you can do:
Start -> Control Panel -> Programs and Features -> Uninstall a Program

Then you can uninstall that viewpoint garbage.

Otherwise,

Congratulations! You now appear clean! :thumbsup:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please reopen Posted Image on your desktop.
  • Push the large "Cleanup" button
  • Allow your system to reboot
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
BillyIII

EDIT: Forgot.. it is Jeff :)

Edited by Billy O'Neal, 10 December 2008 - 08:46 PM.

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 djay72

djay72
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 10 December 2008 - 10:03 PM

Bill, I am running XP. that was the error I was getting. Also..do you know why I wouldn't be able to update to SP2 or 3. I have not been able to do so, when I do it tells me that there is an error(not sure what it is anymore) but I would love to get up to date with some of the stuff. Again, thanks for the help....

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 11 December 2008 - 09:26 PM

Hello, Jeff

Bill, I am running XP. that was the error I was getting. Also..do you know why I wouldn't be able to update to SP2 or 3. I have not been able to do so, when I do it tells me that there is an error(not sure what it is anymore) but I would love to get up to date with some of the stuff. Again, thanks for the help....

I'm sorry.. apparently I'm blind twice LOL

See if this fixes the control panel problem:

We need to repair some of windows' internal registration settings
  • Please download Dial-A-Fix from one of the following mirrors:
  • Extract the zip file to your desktop.
  • Double click Dial-a-Fix.exe to start the program.
  • Press the green double checkmark box (Looks like this: Posted Image)
  • UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:
    Posted Image
  • When the window looks like this, press the GO button in the bottom of the window.
    Posted Image
  • Exit/Close Dial-A-Fix
BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#15 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:04:13 AM

Posted 14 December 2008 - 11:13 AM

Hello, Jeff
Are you still here?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users