Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winsows Security Alert Win32.Zafi.B


  • Please log in to reply
11 replies to this topic

#1 miksar

miksar

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK
  • Local time:04:51 PM

Posted 12 January 2009 - 02:08 AM

{{Mod Edit: Moved from AII to HJT.. difficulty running malware tools AII link http://www.bleepingcomputer.com/forums/top...ml#entry1088679 ../..boopme}}




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:07 AM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209248121468
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6901 bytes

Edited by boopme, 12 January 2009 - 10:35 AM.


BC AdBot (Login to Remove)

 


#2 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 21 January 2009 - 04:15 PM

miksar

1. Go HERE and download File Lister.Save it to your Desktop
Rt Click ->> Extract all ->> And extract it to your Desktop
Additional help on extracting zip files can be found HERE
Open the File Lister Folder.
Rt Click FileLister.vbe ->>Select Open Then Open to confirm.
As the program runs, it will appear that nothing is happening.
When the program is fnished it will produce a log for you C:\Files.txt
Copy and paste the contents of that log in your reply.
Posted Image
Microsoft MVP - Windows Security

#3 miksar

miksar
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK
  • Local time:04:51 PM

Posted 23 January 2009 - 12:19 PM

+++++++++++++++++++++++++++++++++
+ File Lister Version 1.0.5
+
+ By bamajim / bamajim.com
+++++++++++++++++++++++++++++++++

Report ran on --->>> 1/23/2009 11:16:56 AM


====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\sarah\Application Data\Google\yfijv17721328.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\WScript.exe

====== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======

BHO: (NO NAME) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

BHO: (NO NAME) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

BHO: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}\ - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

BHO: (NO NAME) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

====== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre6\\bin\\jusched.exe\""
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"wclock"="\"C:\\Documents and Settings\\sarah\\Application Data\\Google\\yfijv17721328.exe\" 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


====== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

1/11/2009 11:34:10 PM 227153 C:\Avenger
1/11/2009 9:46:50 PM 0 C:\VundoFix Backups
1/11/2009 11:34:09 PM 3436 32 C:\avenger.txt
1/23/2009 11:16:56 AM 4495 32 C:\Files.txt
1/11/2009 10:49:12 PM 1064763392 38 C:\hiberfil.sys
1/11/2009 9:46:50 PM 397 32 C:\VundoFix.txt
12/12/2008 1:28:20 PM 4112458 C:\WINDOWS\$NtUninstallKB952069_WM9$
12/12/2008 1:28:20 PM 622666 C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst
12/12/2008 1:27:27 PM 868684 C:\WINDOWS\$NtUninstallKB954600$
12/12/2008 1:27:27 PM 621870 C:\WINDOWS\$NtUninstallKB954600$\spuninst
12/12/2008 1:30:42 PM 683064 C:\WINDOWS\$NtUninstallKB955839$
12/12/2008 1:30:42 PM 622648 C:\WINDOWS\$NtUninstallKB955839$\spuninst
12/12/2008 1:27:17 PM 906919 C:\WINDOWS\$NtUninstallKB956802$
12/12/2008 1:27:17 PM 621735 C:\WINDOWS\$NtUninstallKB956802$\spuninst
1/14/2009 5:34:02 PM 955990 C:\WINDOWS\$NtUninstallKB958687$
1/14/2009 5:34:02 PM 622166 C:\WINDOWS\$NtUninstallKB958687$\spuninst
1/11/2009 11:46:35 PM 0 C:\WINDOWS\PIF
12/12/2008 1:28:19 PM 10692 32 C:\WINDOWS\KB952069.log
12/12/2008 1:27:26 PM 7468 32 C:\WINDOWS\KB954600.log
12/11/2008 7:11:32 PM 32703 32 C:\WINDOWS\KB955839.log
12/11/2008 7:08:20 PM 12955 32 C:\WINDOWS\KB956802.log
12/12/2008 1:30:08 PM 19086 32 C:\WINDOWS\KB958215-IE7.log
1/14/2009 5:32:54 PM 7434 32 C:\WINDOWS\KB958687.log
12/17/2008 8:26:55 PM 8182 32 C:\WINDOWS\KB960714-IE7.log
1/11/2009 8:56:56 PM 157758 32 C:\WINDOWS\ntbtlog.txt
12/9/2008 7:52:37 PM 403 32 C:\WINDOWS\wmsetup.log
12/21/2008 11:29:36 PM 410984 32 C:\WINDOWS\system32\deploytk.dll
12/21/2008 11:29:36 PM 144792 32 C:\WINDOWS\system32\java.exe
12/21/2008 11:29:36 PM 144792 32 C:\WINDOWS\system32\javaw.exe
12/21/2008 11:29:36 PM 148888 32 C:\WINDOWS\system32\javaws.exe
1/11/2009 8:36:47 PM 441 32 C:\WINDOWS\system32\TDSSosvd.dat

====== Files under "\Administrator\Startup" Last 60 Days======


====== Files under "\All Users\Startup" Last 60 Days======


====== Folders under "\Program Files" Last 60 Days======

1/11/2009 11:37:52 PM 4082286 C:\Program Files\Malwarebytes' Anti-Malware
1/11/2009 11:37:53 PM 349316 C:\Program Files\Malwarebytes' Anti-Malware\Languages

====== Files under "\System32\Drivers" Last 60 Days======

1/11/2009 11:37:56 PM 15504 32 C:\WINDOWS\system32\drivers\mbam.sys
1/11/2009 11:37:53 PM 38496 32 C:\WINDOWS\system32\drivers\mbamswissarmy.sys

====== Files Deleted under "%Temp%" ======

C:\DOCUME~1\sarah\LOCALS~1\Temp\20482a.mst
C:\DOCUME~1\sarah\LOCALS~1\Temp\4D0FFE3.dmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\5537E42.dmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\75d3_appcompat.txt
C:\DOCUME~1\sarah\LOCALS~1\Temp\97P8BN94.emf
C:\DOCUME~1\sarah\LOCALS~1\Temp\AAX55.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\cc2log.txt
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_ctXaAMGZYkqfWhwk5Dau
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_ctXaAMGZYkqfWhwk5Dau-journal
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_ddvePATkLZ42VEhTuUtR
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_ddvePATkLZ42VEhTuUtR-journal
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_dqUU1Pmysocqeuad282x
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_ixEkN1SPxVENUoMsAPuH
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_TC5WvHn4xQE09clmW5Mo
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_uR69QXVWHyyVwPc1Coaf
C:\DOCUME~1\sarah\LOCALS~1\Temp\fla145.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\fla78.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\fla7B.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\fla7C.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\fla7D.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\IMT10.xml
C:\DOCUME~1\sarah\LOCALS~1\Temp\IMT11.xml
C:\DOCUME~1\sarah\LOCALS~1\Temp\IMTF.xml
C:\DOCUME~1\sarah\LOCALS~1\Temp\IUJ_491730122420025960.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\java_install.log
C:\DOCUME~1\sarah\LOCALS~1\Temp\java_install_reg.log
C:\DOCUME~1\sarah\LOCALS~1\Temp\java_install_sp.log
C:\DOCUME~1\sarah\LOCALS~1\Temp\jinstall.cfg
C:\DOCUME~1\sarah\LOCALS~1\Temp\jusched.log
C:\DOCUME~1\sarah\LOCALS~1\Temp\MSW4D.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\sbc2E.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\TDSS9d9.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\TDSS9e9.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\TWAIN.LOG
C:\DOCUME~1\sarah\LOCALS~1\Temp\Twain001.Mtx
C:\DOCUME~1\sarah\LOCALS~1\Temp\Twunk001.MTX
C:\DOCUME~1\sarah\LOCALS~1\Temp\Twunk002.MTX
C:\DOCUME~1\sarah\LOCALS~1\Temp\Walk_in_Fridge.wmv
C:\DOCUME~1\sarah\LOCALS~1\Temp\wmplog00.sqm
C:\DOCUME~1\sarah\LOCALS~1\Temp\wmplog01.sqm
C:\DOCUME~1\sarah\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81200000003}.ini
C:\DOCUME~1\sarah\LOCALS~1\Temp\{AC76BA86-7AD7-1033-7B44-A81300000003}.ini
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF1BF2.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF21CE.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF3343.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF3622.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF372E.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF3AF1.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF3EAB.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF40A8.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF4100.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF4749.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF6A96.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF7BB4.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF8B97.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF9394.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF9CA.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF9E6F.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DFB3A5.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DFBB8.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DFBB9A.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DFDFB2.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DFF8DD.tmp

63 Files deleted

====== Files and Folders under "All Users\Application Data" Last 60 Days======

12/23/2008 12:07:16 AM 1339677 C:\Documents and Settings\All Users\Application Data\Malwarebytes
12/23/2008 12:07:16 AM 1339677 C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

====== Possible Rootkit Scan (Note: Items listed here are not necessarily bad)======


====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

====== Services ( Services that are Whitelisted are not shown) ======

EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE - Auto
Java Quick Starter (JavaQuickStarterService) "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" - Auto
MSSQL$MICROSOFTSMLBIZ (MSSQL$MICROSOFTSMLBIZ) "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ - Auto
MSSQLServerADHelper (MSSQLServerADHelper) "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" - Manual
Intel® PROSet/Wireless Registry Service (RegSrvc) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe - Auto
SQLAgent$MICROSOFTSMLBIZ (SQLAgent$MICROSOFTSMLBIZ) "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ - Manual
Intel® PROSet/Wireless SSO Service (WLANKEEPER) C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe - Auto
Dell Wireless WLAN Tray Service (wltrysvc) C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe - Auto

====== Uninstall List From Registry ======

Adobe Flash Player 10 Plugin
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AVG Anti-Spyware 7.5
Dell Wireless WLAN Card
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Dell Digital Jukebox Driver
EPSON Printer Software
HijackThis 2.0.2
I-News
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
IrfanView (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Update for Windows XP (KB955839)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB957097)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows XP (KB958687)
Security Update for Windows Internet Explorer 7 (KB960714)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Mozilla Firefox (3.0.5)
Microsoft Compression Client Pack 1.0 for Windows XP
MySpaceIM
Microsoft National Language Support Downlevel APIs
Omni keypad driver 5.0
OmniMouse Driver 3.82
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Intel® PROSet/Wireless Software
RealPlayer
Security Task Manager 1.7e
EPSON Stylus Photo R260 User's Guide
Simple Family Tree (remove only)
Business Inventory Manager Pro
Synaptics Pointing Device Driver
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip Self-Extractor
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
AT&T Yahoo! Applications
mSSO
Sonic RecordNow Data
MSXML 6.0 Parser (KB933579)
mLogView
Microsoft Plus! Photo Story 2 LE
Sonic DLA
Rhapsody Player Engine
mProSafe
Java™ 6 Update 11
Broadcom Management Programs
Sonic Update Manager
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Windows Media Player 10
WebFldrs XP
MSXML 4.0 SP2 (KB927978)
ArcSoft PhotoStudio 5.5
mIWA
NetWaiting
mHlpDell
Dell Support 3.1
Dell Driver Reset Tool
QuickTime
mWMI
TaxCut Premium + State 2007
PowerDVD 5.5
Microsoft Works
Microsoft Plus! Digital Media Edition Installer
PaperPort
Print Workshop 2006 LE
Dell System Restore
Zune Desktop Theme
mSCfg
Brother HL-2040
MSXML 4.0 SP2 (KB954430)
Intel® Graphics Media Accelerator Driver for Mobile
Corel Photo Album 6
mPfMgr
Microsoft Office PowerPoint Viewer 2003
mPfWiz
mZConfig
Brother MFL-Pro Suite
mDriver
Adobe® Photoshop® Album Starter Edition 3.2
Sonic RecordNow Audio
Adobe Reader 8.1.3
Sonic RecordNow Copy
Digital Content Portal
MSXML 4.0 SP2 (KB936181)
mToolkit
Microsoft .NET Framework 1.1
Ulead Photo Explorer 8.0 SE Basic
MCU
ArcSoft PhotoImpression 5
Ad-Aware
Dell Mobile Broadband Card Utility
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Remote Printer Console
iTunes
Digital Line Detect
mCore
Microsoft IntelliPoint 5.5
mMHouse
TaxCut Oklahoma 2007
mDrWiFi
mWlsSafe
EPSON Print CD

======== Other Info ========

TOTAL PHYSICAL RAM: 1065 MB

#4 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 23 January 2009 - 06:00 PM

miksar

I noticed that you had The Avenger installed previously. If you still have it we are going to use it. If not I have included the entire set of instructions to download and use of the tool

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
    (How to extract (decompress) zipped or compressed files, help in the link here: )
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
C:\WINDOWS\system32\TDSSosvd.dat
C:\Documents and Settings\sarah\Application Data\Google\yfijv17721328.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply
Posted Image
Microsoft MVP - Windows Security

#5 miksar

miksar
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK
  • Local time:04:51 PM

Posted 25 January 2009 - 02:07 PM

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Completed script processing.

*******************

Finished! Terminate.



Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File "C:\WINDOWS\system32\TDSSbrsr.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSSoexh.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSSriqp.dll" deleted successfully.
File "C:\WINDOWS\system32\drivers\TDSSpaxt.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\svchost.exe" not found!
Deletion of file "C:\WINDOWS\system32\drivers\svchost.exe" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: "C:\WINDOWS\system32\" is a folder, not a file!
Deletion of file "C:\WINDOWS\system32\" failed!
Status: 0xc00000ba (STATUS_FILE_IS_A_DIRECTORY)
--> use "Folders to delete:" instead of "Files to delete:" to delete a directory

File "C:\WINDOWS\system32\TDSScfum.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSSlxwp.dll" deleted successfully.
File "C:\WINDOWS\system32\TDSStkdv.log" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Sun Jan 25 13:00:16 2009

13:00:16: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\TDSSosvd.dat" deleted successfully.
File "C:\Documents and Settings\sarah\Application Data\Google\yfijv17721328.exe" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#6 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 26 January 2009 - 10:36 AM

miksar

Good work. Rerun FileLister and post a fresh FileLister log (C:\Files.txt)
Posted Image
Microsoft MVP - Windows Security

#7 miksar

miksar
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK
  • Local time:04:51 PM

Posted 26 January 2009 - 10:47 PM

+++++++++++++++++++++++++++++++++
+ File Lister Version 1.0.5
+
+ By bamajim / bamajim.com
+++++++++++++++++++++++++++++++++

Report ran on --->>> 1/26/2009 9:45:00 PM


====== Running Processes ======

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\WScript.exe

====== BHO's under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects ======

BHO: (NO NAME) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

BHO: (NO NAME) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

BHO: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}\ - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

BHO: (NO NAME) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

BHO: (NO NAME) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

====== Values under HKLM\~\Run ======

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre6\\bin\\jusched.exe\""
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SigmatelSysTrayApp"="stsystra.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"Broadcom Wireless Manager UI"="C:\\WINDOWS\\system32\\WLTRAY.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"wclock"="\"C:\\Documents and Settings\\sarah\\Application Data\\Google\\yfijv17721328.exe\" 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
@=""


====== Values under HKCU\~\Run ======

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"


====== Folders and Files from "%\" and "%\Windows" Created Last 60 Days ======

1/11/2009 11:34:10 PM 255456 C:\Avenger
1/11/2009 9:46:50 PM 0 C:\VundoFix Backups
1/11/2009 11:34:09 PM 5384 32 C:\avenger.txt
1/23/2009 11:16:56 AM 4508 32 C:\Files.txt
1/11/2009 10:49:12 PM 1064763392 38 C:\hiberfil.sys
1/11/2009 9:46:50 PM 397 32 C:\VundoFix.txt
12/12/2008 1:28:20 PM 4112458 C:\WINDOWS\$NtUninstallKB952069_WM9$
12/12/2008 1:28:20 PM 622666 C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst
12/12/2008 1:27:27 PM 868684 C:\WINDOWS\$NtUninstallKB954600$
12/12/2008 1:27:27 PM 621870 C:\WINDOWS\$NtUninstallKB954600$\spuninst
12/12/2008 1:30:42 PM 683064 C:\WINDOWS\$NtUninstallKB955839$
12/12/2008 1:30:42 PM 622648 C:\WINDOWS\$NtUninstallKB955839$\spuninst
12/12/2008 1:27:17 PM 906919 C:\WINDOWS\$NtUninstallKB956802$
12/12/2008 1:27:17 PM 621735 C:\WINDOWS\$NtUninstallKB956802$\spuninst
1/14/2009 5:34:02 PM 955990 C:\WINDOWS\$NtUninstallKB958687$
1/14/2009 5:34:02 PM 622166 C:\WINDOWS\$NtUninstallKB958687$\spuninst
1/11/2009 11:46:35 PM 0 C:\WINDOWS\PIF
12/12/2008 1:28:19 PM 10692 32 C:\WINDOWS\KB952069.log
12/12/2008 1:27:26 PM 7468 32 C:\WINDOWS\KB954600.log
12/11/2008 7:11:32 PM 32703 32 C:\WINDOWS\KB955839.log
12/11/2008 7:08:20 PM 12955 32 C:\WINDOWS\KB956802.log
12/12/2008 1:30:08 PM 19086 32 C:\WINDOWS\KB958215-IE7.log
1/14/2009 5:32:54 PM 7434 32 C:\WINDOWS\KB958687.log
12/17/2008 8:26:55 PM 8182 32 C:\WINDOWS\KB960714-IE7.log
1/11/2009 8:56:56 PM 157758 32 C:\WINDOWS\ntbtlog.txt
12/9/2008 7:52:37 PM 403 32 C:\WINDOWS\wmsetup.log
1/23/2009 9:13:17 PM 754 32 C:\WINDOWS\WORDPAD.INI
12/21/2008 11:29:36 PM 410984 32 C:\WINDOWS\system32\deploytk.dll
12/21/2008 11:29:36 PM 144792 32 C:\WINDOWS\system32\java.exe
12/21/2008 11:29:36 PM 144792 32 C:\WINDOWS\system32\javaw.exe
12/21/2008 11:29:36 PM 148888 32 C:\WINDOWS\system32\javaws.exe

====== Files under "\Administrator\Startup" Last 60 Days======


====== Files under "\All Users\Startup" Last 60 Days======


====== Folders under "\Program Files" Last 60 Days======

1/11/2009 11:37:52 PM 4082286 C:\Program Files\Malwarebytes' Anti-Malware
1/11/2009 11:37:53 PM 349316 C:\Program Files\Malwarebytes' Anti-Malware\Languages

====== Files under "\System32\Drivers" Last 60 Days======

1/11/2009 11:37:56 PM 15504 32 C:\WINDOWS\system32\drivers\mbam.sys
1/11/2009 11:37:53 PM 38496 32 C:\WINDOWS\system32\drivers\mbamswissarmy.sys

====== Files Deleted under "%Temp%" ======

C:\DOCUME~1\sarah\LOCALS~1\Temp\atb24.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\etilqs_CadmGPhHLppJdyAtVHBi
C:\DOCUME~1\sarah\LOCALS~1\Temp\g0w23.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\jusched.log
C:\DOCUME~1\sarah\LOCALS~1\Temp\m0d21.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\m1829.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\nmm22.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\qy128.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\tsj25.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\Walk_in_Fridge.wmv
C:\DOCUME~1\sarah\LOCALS~1\Temp\wmplog00.sqm
C:\DOCUME~1\sarah\LOCALS~1\Temp\wmplog01.sqm
C:\DOCUME~1\sarah\LOCALS~1\Temp\y2o26.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\z5v27.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF10F2.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF2DEE.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF7BB2.tmp
C:\DOCUME~1\sarah\LOCALS~1\Temp\~DF9CA.tmp

18 Files deleted

====== Files and Folders under "All Users\Application Data" Last 60 Days======

12/23/2008 12:07:16 AM 1339677 C:\Documents and Settings\All Users\Application Data\Malwarebytes
12/23/2008 12:07:16 AM 1339677 C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

====== Possible Rootkit Scan (Note: Items listed here are not necessarily bad)======


====== Values under HKLM\Software\microsoft\shared tools\msconfig\startupreg ======

====== Services ( Services that are Whitelisted are not shown) ======

EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE - Auto
Java Quick Starter (JavaQuickStarterService) "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" - Auto
MSSQL$MICROSOFTSMLBIZ (MSSQL$MICROSOFTSMLBIZ) "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ - Auto
MSSQLServerADHelper (MSSQLServerADHelper) "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" - Manual
Intel® PROSet/Wireless Registry Service (RegSrvc) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe - Auto
SQLAgent$MICROSOFTSMLBIZ (SQLAgent$MICROSOFTSMLBIZ) "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ - Manual
Intel® PROSet/Wireless SSO Service (WLANKEEPER) C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe - Auto
Dell Wireless WLAN Tray Service (wltrysvc) C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe - Auto

====== Uninstall List From Registry ======

Adobe Flash Player 10 Plugin
Adobe Shockwave Player
Adobe® Photoshop® Album Starter Edition 3.2
AVG Anti-Spyware 7.5
Dell Wireless WLAN Card
CCleaner (remove only)
Conexant HDA D110 MDC V.92 Modem
Dell Digital Jukebox Driver
EPSON Printer Software
HijackThis 2.0.2
I-News
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
IrfanView (remove only)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Update for Windows XP (KB955839)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB957097)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows XP (KB958687)
Security Update for Windows Internet Explorer 7 (KB960714)
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Mozilla Firefox (3.0.5)
Microsoft Compression Client Pack 1.0 for Windows XP
MySpaceIM
Microsoft National Language Support Downlevel APIs
Omni keypad driver 5.0
OmniMouse Driver 3.82
Pdf995 (installed by TaxCut)
PdfEdit995 (installed by TaxCut)
Intel® PROSet/Wireless Software
RealPlayer
Security Task Manager 1.7e
EPSON Stylus Photo R260 User's Guide
Simple Family Tree (remove only)
Business Inventory Manager Pro
Synaptics Pointing Device Driver
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinZip Self-Extractor
Windows Media Format 11 runtime
Windows Media Player 11
Microsoft User-Mode Driver Framework Feature Pack 1.0
AT&T Yahoo! Applications
mSSO
Sonic RecordNow Data
MSXML 6.0 Parser (KB933579)
mLogView
Microsoft Plus! Photo Story 2 LE
Sonic DLA
Rhapsody Player Engine
mProSafe
Java™ 6 Update 11
Broadcom Management Programs
Sonic Update Manager
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Windows Media Player 10
WebFldrs XP
MSXML 4.0 SP2 (KB927978)
ArcSoft PhotoStudio 5.5
mIWA
NetWaiting
mHlpDell
Dell Support 3.1
Dell Driver Reset Tool
QuickTime
mWMI
TaxCut Premium + State 2007
PowerDVD 5.5
Microsoft Works
Microsoft Plus! Digital Media Edition Installer
PaperPort
Print Workshop 2006 LE
Dell System Restore
Zune Desktop Theme
mSCfg
Brother HL-2040
MSXML 4.0 SP2 (KB954430)
Intel® Graphics Media Accelerator Driver for Mobile
Corel Photo Album 6
mPfMgr
Microsoft Office PowerPoint Viewer 2003
mPfWiz
mZConfig
Brother MFL-Pro Suite
mDriver
Adobe® Photoshop® Album Starter Edition 3.2
Sonic RecordNow Audio
Adobe Reader 8.1.3
Sonic RecordNow Copy
Digital Content Portal
MSXML 4.0 SP2 (KB936181)
mToolkit
Microsoft .NET Framework 1.1
Ulead Photo Explorer 8.0 SE Basic
MCU
ArcSoft PhotoImpression 5
Ad-Aware
Dell Mobile Broadband Card Utility
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Remote Printer Console
iTunes
Digital Line Detect
mCore
Microsoft IntelliPoint 5.5
mMHouse
TaxCut Oklahoma 2007
mDrWiFi
mWlsSafe
EPSON Print CD

======== Other Info ========

TOTAL PHYSICAL RAM: 1065 MB

#8 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 27 January 2009 - 10:10 AM

miksar

Good work. That looks good.

Rerun Hiajckthis and post a fresh Hiajckthis log
Posted Image
Microsoft MVP - Windows Security

#9 miksar

miksar
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK
  • Local time:04:51 PM

Posted 31 January 2009 - 02:32 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:27 AM, on 1/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://static.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209248121468
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6804 bytes

#10 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 02 February 2009 - 09:13 AM

miksar

Excellent

How's your PC running now?
Posted Image
Microsoft MVP - Windows Security

#11 miksar

miksar
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:OK
  • Local time:04:51 PM

Posted 05 February 2009 - 04:55 PM

so much better, thankyou for your help and God Bless!!

#12 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:51 PM

Posted 09 February 2009 - 01:44 PM

miksar

You are most welcome

You may now remove/delete/uninstall the tools we used to clean your PC

Now that your log is clean

There are some final notes:
Lets create a clean System Restore point
the instructions are here
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:Download the latest version of
Java Runtime Environment (JRE) 6.u11.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Update your Anti Virus Software

Use and maintain a Firewall

Visit Microsoft's Windows Update Site Frequently for critical updates

Backup your Important Documents and Files on a regular basisTo a disc or a USB key, not your Hardrive
You may want to read this article"So how did I get infected in the first place" by Tony Klein

surf safe
Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users