Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible malware infection and extras!


  • This topic is locked This topic is locked
25 replies to this topic

#1 diesellady80

diesellady80

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 26 February 2009 - 09:37 PM

Every day it is freezing up, like when I want to look at a myspace profile, or images on yahoo etc. My mouse won't even move. It is also 'experiencing' internet problems, causing it to end my internet browsing abruptly.

I have used HJT, MBAM, SuperAntiSpyware, and I was sent to see the BIG GUNS (that's you)!




DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:29:06.00 on Thu 02/26/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.39 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
{2b17736a-6f33-4228-840b-453077019e4f}
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {a34e5e00-fe62-4318-a2ec-4e16e5f9068d}: {d8609f5e-61e4-ce2a-8134-26ef00e5e43a}
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\d-link~1.lnk - c:\program files\d-link airplus g\AirPlus.exe
uPolicies-explorer: DisableLocalUserRun = 0 (0x0)
mPolicies-explorer: DisableLocalMachineRun = 0 (0x0)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: bankatlantic.com\www
Trusted Zone: ebay.com\buy
Trusted Zone: ebay.com\cgi
Trusted Zone: ebay.com\cgi5
Trusted Zone: ebay.com\contact
Trusted Zone: ebay.com\feedback
Trusted Zone: ebay.com\my
Trusted Zone: ebay.com\offer
Trusted Zone: ebay.com\payments
Trusted Zone: ebay.com\search
Trusted Zone: ebay.com\sell
Trusted Zone: ebay.com\signin
Trusted Zone: fimserve.com\deeb.opt
Trusted Zone: fimserve.com\delb.opt
Trusted Zone: fimserve.com\demr.opt
Trusted Zone: fimserve.com\desb.opt
Trusted Zone: fmrserve.com\demr.opt
Trusted Zone: fmrsrve.com\demr.opt
Trusted Zone: google.com\images
Trusted Zone: google.com\www
Trusted Zone: k12.fl.us\sub.pasco
Trusted Zone: lewww.com\www.fusker
Trusted Zone: msplinks.com\www
Trusted Zone: myspace.com
Trusted Zone: myspace.com\blog
Trusted Zone: myspace.com\BRowseusers
Trusted Zone: myspace.com\bulletin
Trusted Zone: myspace.com\collect
Trusted Zone: myspace.com\comment
Trusted Zone: myspace.com\comments
Trusted Zone: myspace.com\demr
Trusted Zone: myspace.com\editprofile
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\home8
Trusted Zone: myspace.com\login
Trusted Zone: myspace.com\login2
Trusted Zone: myspace.com\mail
Trusted Zone: myspace.com\messaging
Trusted Zone: myspace.com\photo
Trusted Zone: myspace.com\profile
Trusted Zone: myspace.com\profileedit
Trusted Zone: myspace.com\search
Trusted Zone: myspace.com\viewmorepics
Trusted Zone: myspace.com\www
Trusted Zone: paypal.com\www
Trusted Zone: photobucket.com
Trusted Zone: photobucket.com\www
Trusted Zone: yahoo.com\login
Trusted Zone: yahoo.com\us.mc314.mail
Trusted Zone: yahoo.com\www
DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} - hxxp://www.worldwinner.com/games/v46/scrabblecubes/scrabblecubes.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-

f7252adaa4f2/LegitCheckControl.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-

eula.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} - hxxp://www.worldwinner.com/games/v50/pool/pool.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1005.cab
DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} - hxxp://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} - hxxp://www.worldwinner.com/games/v41/freecell/freecell.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?

1178583255171
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {94299420-321F-4FF9-A247-62A23EBB640B} - hxxp://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
DPF: {97438FE9-D361-4279-BA82-98CC0877A717} - hxxp://www.worldwinner.com/games/v57/cubis/cubis.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} - hxxp://www.worldwinner.com/games/v41/hangman/hangman.cab
DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} - hxxp://www.worldwinner.com/games/v43/paint/paint.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} - hxxp://cvs.pnimedia.com/upload/activex/v2_0_0_11/PCAXSetupv2.0.0.11.cab?
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxsrvc.dll
Notify: WRNotifier - WRLogonNTF.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\windows\system32\srrst

============= SERVICES / DRIVERS ===============

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [2004-10-6 10368]
R1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [2004-10-7 11776]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 $sys$DRMServer;Plug and Play Device Manager;c:\windows\system32\$sys$filesystem\$sys$DRMServer.exe [2004-6-22 307200]
R2 CD_Proxy;XCP CD Proxy;c:\windows\CDProxyServ.exe [2004-6-22 167936]
R3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-11-22 297984]
S3 pnicml;pnicml;\??\c:\docume~1\owner\locals~1\temp\pnicml.sys --> c:\docume~1\owner\locals~1\temp\pnicml.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]

============== File Associations ===============

regfile=*** no open command defined ***

=============== Created Last 30 ================

2009-02-25 20:01 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-25 20:01 <DIR> -cd----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-02-25 20:01 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-25 19:59 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-24 21:12 <DIR> -cd----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-24 21:12 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-24 21:12 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 21:12 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-24 21:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 18:28 <DIR> --d----- c:\windows\system32\FxsTmp
2009-02-24 18:27 31,744 ac------ c:\windows\system32\dllcache\fxsroute.dll
2009-02-24 18:27 11,264 ac------ c:\windows\system32\dllcache\fxssend.exe
2009-02-24 18:27 31,744 a------- c:\windows\system32\fxsroute.dll
2009-02-24 18:27 11,264 a------- c:\windows\system32\fxssend.exe
2009-02-24 18:27 1,793 a------- c:\windows\system32\fxsperf.ini
2009-02-24 18:27 1,361 a------- c:\windows\system32\fxscount.h
2009-02-24 18:27 132,608 ac------ c:\windows\system32\dllcache\fxsclntr.dll
2009-02-24 18:27 132,608 a------- c:\windows\system32\fxsclntR.dll
2009-02-24 18:27 111,104 ac------ c:\windows\system32\dllcache\fxscfgwz.dll
2009-02-24 18:27 111,104 a------- c:\windows\system32\fxscfgwz.dll
2009-02-22 18:01 <DIR> --d----- c:\program files\Trend Micro
2009-02-09 20:31 <DIR> --d----- c:\program files\CCleaner
2009-02-04 17:13 <DIR> -cd----- c:\docume~1\owner\applic~1\RedMercury
2009-02-04 17:04 <DIR> --d----- c:\program files\Free Window Registry Repair
2009-02-04 16:51 45 a------- c:\windows\system32\RPVersion.ini
2009-02-04 16:47 <DIR> --d----- c:\program files\RegistryPatrol3.0
2009-01-31 09:15 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-31 09:15 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-29 16:38 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-01-29 16:32 <DIR> -cd-h--- c:\windows\ie8
2009-01-29 16:30 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll

==================== Find3M ====================

2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2007-08-03 20:48 530,617 ac------ c:\documents and settings\owner\mvPCinfo-1.50.exe
2005-07-06 00:33 51,955 ac--h--- c:\docume~1\owner\applic~1\ptads.bin
2005-09-24 22:49 426,149 ---sh--- c:\windows\speech\rvsrba.bak1
2005-09-25 23:52 425,750 ---sh--- c:\windows\speech\rvsrba.bak2
2005-12-16 22:22 389,345 a--sh--- c:\windows\system32\gjkmp.bak2
2007-07-04 20:51 1,841,120 a--sh--- c:\windows\system32\hjllm.bak2
2005-11-09 00:04 232,644 a--sh--- c:\windows\system32\mlnmp.bak2
2008-01-12 09:39 6,738 a--sh--- c:\windows\system32\ppqss.ini2
2006-04-21 23:23 710,183 a--sh--- c:\windows\system32\wvvwa.bak2
2008-05-10 20:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5

\mshist012008051020080511\index.dat

============= FINISH: 21:29:50.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 28 February 2009 - 06:42 PM

Hello diesellady80,

Sorry for the delay. We have many logs backed up.

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first. :)

I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed :!:
This is somewhat suicidal in today's digital world. :thumbup2:
That's why I want you to install one first!!

Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus :!:

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There double click the report from the Full scan you have done.
Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThis log.

Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirus scan is not presen. It should be able to deal with most and prevent further reinfection.

Edited by SifuMike, 28 February 2009 - 06:50 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 01 March 2009 - 10:55 PM

Great! Thank you so much. I installed and ran that AntiVirus protection. Here is the report, followed by a new HJT log:



Avira AntiVir Personal
Report file date: Sunday, March 01, 2009 21:51

Scanning for 1272232 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: ANNASHERMAN

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 02:17:10
ANTIVIR2.VDF : 7.1.2.55 248832 Bytes 2/20/2009 02:17:12
ANTIVIR3.VDF : 7.1.2.98 201216 Bytes 3/1/2009 02:17:13
Engineversion : 8.2.0.98
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/2/2009 02:17:23
AESCRIPT.DLL : 8.1.1.56 352634 Bytes 3/2/2009 02:17:22
AESCN.DLL : 8.1.1.7 127347 Bytes 3/2/2009 02:17:21
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.8 397684 Bytes 3/2/2009 02:17:20
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/2/2009 02:17:19
AEHEUR.DLL : 8.1.0.100 1618295 Bytes 3/2/2009 02:17:19
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/2/2009 02:17:16
AEGEN.DLL : 8.1.1.22 336245 Bytes 3/2/2009 02:17:14
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/2/2009 02:17:13
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 18:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, March 01, 2009 21:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'AIRPLUS.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
25 processes with 25 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\' <HP_PAVILION>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.7.1\SLinst.exe
[0] Archive type: NSIS
--> aboutAOL.js
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Owner\.limewire\.NetworkShare\Incomplete\T-3378696-LimeWireWin4.14.1.exe
[0] Archive type: NSIS
--> [ProgramFilesDir]/LimeWire/SystemUtilities.dll
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365639.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365640.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365641.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365642.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365643.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365644.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365645.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1637\A0365646.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1641\A0370658.exe
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.5 root kit
[NOTE] The file was deleted!
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1641\A0371658.sys
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.6 root kit
[NOTE] The file was deleted!
C:\VundoFix Backups\ssqpp.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\$sys$caj.dll
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.2 root kit
[NOTE] The file was deleted!
C:\WINDOWS\system32\$sys$upgtool.exe
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.3 root kit
[NOTE] The file was deleted!
C:\WINDOWS\system32\$sys$filesystem\lim.sys
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.B.4 root kit
[NOTE] The file was deleted!
C:\WINDOWS\system32\$sys$filesystem\oct.sys
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.7 root kit
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\$sys$cor.sys
[DETECTION] Contains recognition pattern of the RKIT/Rootkit.XCP.8 root kit
[NOTE] RKIT/Rootkit.XCP.8:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$sys$cor]:<ImagePath>=sz:$sys$cor.sys
[NOTE] The file was deleted!
Begin scan in 'D:\' <HP_RECOVERY>


End of the scan: Sunday, March 01, 2009 22:46
Used time: 54:50 Minute(s)

The scan has been done completely.

7052 Scanning directories
414978 Files were scanned
16 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
16 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
414961 Files not concerned
13197 Archives were scanned
3 Warnings
16 Notes










And the HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:38 PM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B17736A-6F33-4228-840B-453077019E4F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {d8609f5e-61e4-ce2a-8134-26ef00e5e43a} - {a34e5e00-fe62-4318-a2ec-4e16e5f9068d} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://buy.ebay.com
O15 - Trusted Zone: http://cgi.ebay.com
O15 - Trusted Zone: cgi5.ebay.com
O15 - Trusted Zone: http://contact.ebay.com
O15 - Trusted Zone: http://feedback.ebay.com
O15 - Trusted Zone: http://my.ebay.com
O15 - Trusted Zone: http://offer.ebay.com
O15 - Trusted Zone: http://payments.ebay.com
O15 - Trusted Zone: http://search.ebay.com
O15 - Trusted Zone: sell.ebay.com
O15 - Trusted Zone: http://signin.ebay.com
O15 - Trusted Zone: http://deeb.opt.fimserve.com
O15 - Trusted Zone: http://delb.opt.fimserve.com
O15 - Trusted Zone: http://demr.opt.fimserve.com
O15 - Trusted Zone: http://desb.opt.fimserve.com
O15 - Trusted Zone: http://demr.opt.fmrsrve.com
O15 - Trusted Zone: http://www.fusker.lewww.com
O15 - Trusted Zone: http://www.msplinks.com
O15 - Trusted Zone: blog.myspace.com
O15 - Trusted Zone: BRowseusers.myspace.com
O15 - Trusted Zone: bulletin.myspace.com
O15 - Trusted Zone: collect.myspace.com
O15 - Trusted Zone: comment.myspace.com
O15 - Trusted Zone: comments.myspace.com
O15 - Trusted Zone: http://demr.myspace.com
O15 - Trusted Zone: editprofile.myspace.com
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: home8.myspace.com
O15 - Trusted Zone: login.myspace.com
O15 - Trusted Zone: http://login2.myspace.com
O15 - Trusted Zone: mail.myspace.com
O15 - Trusted Zone: messaging.myspace.com
O15 - Trusted Zone: photo.myspace.com
O15 - Trusted Zone: profile.myspace.com
O15 - Trusted Zone: http://profileedit.myspace.com
O15 - Trusted Zone: search.myspace.com
O15 - Trusted Zone: viewmorepics.myspace.com
O15 - Trusted Zone: www.myspace.com
O15 - Trusted Zone: http://*.myspace.com
O15 - Trusted Zone: www.photobucket.com
O15 - Trusted Zone: http://*.photobucket.com
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46/share...GamesLoader.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178583255171
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.11.cab?
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/S=96062883/K=shooting...her_gun_006.jpg
O24 - Desktop Component 1: (no name) - http://photobucket.com/albums/b200/diesell...th_7263a0b5.gif

--
End of file - 10952 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 01 March 2009 - 11:02 PM

Hi diesellady80,

Looks like you have a nasty Vundo and rootkit infeciton on this computer. :thumbup2:


Please run Malwarebytes' Anti-Malware
Once the program has loaded, update it, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 01 March 2009 - 11:16 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 04 March 2009 - 02:30 PM

Hi! Ok, it said it didn't find anything, but here's the log for MBAM, followed by a fresh HJT log. Thank you a million times for all your help. I heart you.



Malwarebytes' Anti-Malware 1.34
Database version: 1815
Windows 5.1.2600 Service Pack 3

3/4/2009 2:25:56 PM
mbam-log-2009-03-04 (14-25-56).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 152629
Time elapsed: 12 hour(s), 17 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:29:23 PM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B17736A-6F33-4228-840B-453077019E4F} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {d8609f5e-61e4-ce2a-8134-26ef00e5e43a} - {a34e5e00-fe62-4318-a2ec-4e16e5f9068d} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://buy.ebay.com
O15 - Trusted Zone: http://cgi.ebay.com
O15 - Trusted Zone: cgi5.ebay.com
O15 - Trusted Zone: http://contact.ebay.com
O15 - Trusted Zone: http://feedback.ebay.com
O15 - Trusted Zone: http://my.ebay.com
O15 - Trusted Zone: http://offer.ebay.com
O15 - Trusted Zone: http://payments.ebay.com
O15 - Trusted Zone: http://search.ebay.com
O15 - Trusted Zone: sell.ebay.com
O15 - Trusted Zone: http://signin.ebay.com
O15 - Trusted Zone: http://deeb.opt.fimserve.com
O15 - Trusted Zone: http://delb.opt.fimserve.com
O15 - Trusted Zone: http://demr.opt.fimserve.com
O15 - Trusted Zone: http://desb.opt.fimserve.com
O15 - Trusted Zone: http://demr.opt.fmrsrve.com
O15 - Trusted Zone: http://www.fusker.lewww.com
O15 - Trusted Zone: http://www.msplinks.com
O15 - Trusted Zone: blog.myspace.com
O15 - Trusted Zone: BRowseusers.myspace.com
O15 - Trusted Zone: bulletin.myspace.com
O15 - Trusted Zone: collect.myspace.com
O15 - Trusted Zone: comment.myspace.com
O15 - Trusted Zone: comments.myspace.com
O15 - Trusted Zone: http://demr.myspace.com
O15 - Trusted Zone: editprofile.myspace.com
O15 - Trusted Zone: http://home.myspace.com
O15 - Trusted Zone: home8.myspace.com
O15 - Trusted Zone: login.myspace.com
O15 - Trusted Zone: http://login2.myspace.com
O15 - Trusted Zone: mail.myspace.com
O15 - Trusted Zone: messaging.myspace.com
O15 - Trusted Zone: photo.myspace.com
O15 - Trusted Zone: profile.myspace.com
O15 - Trusted Zone: http://profileedit.myspace.com
O15 - Trusted Zone: search.myspace.com
O15 - Trusted Zone: viewmorepics.myspace.com
O15 - Trusted Zone: www.myspace.com
O15 - Trusted Zone: http://*.myspace.com
O15 - Trusted Zone: www.photobucket.com
O15 - Trusted Zone: http://*.photobucket.com
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46/share...GamesLoader.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178583255171
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.11.cab?
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/S=96062883/K=shooting...her_gun_006.jpg
O24 - Desktop Component 1: (no name) - http://photobucket.com/albums/b200/diesell...th_7263a0b5.gif

--
End of file - 10918 bytes

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 04 March 2009 - 02:58 PM

Hi diesellady80,

Looks like you ran Malwarebtes and SUPERAntiSpyware previously and it removed most of he vundo infection. Thats the reason it did not find anything this time you ran it.
But you still are infected.


Have you been playing with Registry Cleaners? :thumbup2: Because I know Registry Cleaners can break Windows! :)


The following is referring to Free Window Registry Repair and RegistryPatrol3.0.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
I recommend you uninstall them, unless you are a regestry guru.

Read this:
Should I Use a Registry Cleaner?


Mark Russinovich wrote:

No, even if the registry was massively bloated there would be little impact on the performance of anything other than exhaustive searches (ed. of the registry itself).

On Win2K Terminal Server systems, however, there is a limit on the total amount of Registry data that can be loaded and so large profile hives can limit the number of users that can be logged on simultaneously.

I haven't and never will implement a Registry cleaner since it's of little practical use on anything other than Win2K terminal servers and developing one that's both safe and effective requires a huge amount of application-specific knowledge.




We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

When following the instructions install the Windows XP Recovery Console if you are using XP. <== IMPORTANT
It is a simple procedure that will only take a few moments of your time. It is our safety net.


You DO NOT need to have the Windows CD to install Recovery Console!

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.


We need Recovery Console because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged.
Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post the ComboFix log.

Edited by SifuMike, 04 March 2009 - 02:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 04 March 2009 - 08:24 PM

Ok, I read and printed out the instructions for combofix, and it did it's thing. It never asked me anything about a recovery console though. Combofix rebooted the computer at the end, then finished up. During this time, The Avira Antivir became activated again, so I opened the panel and quickly deactivated it. I hope I didn't mess anything up there, in doing that. :thumbup2:
Here is the combofix log:

ComboFix 09-03-03.01 - Owner 2009-03-04 20:01:58.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.77 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\ptads.bin
c:\documents and settings\Owner\My Documents\PPATCH~1
C:\lswmv.ini
c:\program files\Common Files\uninstall information
c:\program files\dns
c:\program files\dns\affid.dat
c:\program files\dns\uid.dat
c:\program files\dns\version.txt
c:\temp\0b9
c:\temp\0b9\tmpTF.log
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\fCOe
c:\temp\fCOe\tOasF.log
c:\temp\iee
c:\temp\iee\tmpZTF.log
c:\windows\cdmxtras
c:\windows\dobe~1
c:\windows\patch.exe
c:\windows\system32\gjkmp.bak2
c:\windows\system32\gjkmp.tmp
c:\windows\system32\hjllm.bak2
c:\windows\system32\mlnmp.bak2
c:\windows\system32\mlnmp.ini
c:\windows\system32\o02PrEz
c:\windows\system32\ppqss.ini2
c:\windows\system32\tmp.reg
c:\windows\system32\wvvwa.bak2
c:\windows\system32\ygtfgedu.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$DRMSERVER
-------\Legacy_CD_PROXY
-------\Legacy_MSCONTROLSERVICE
-------\Service_$sys$DRMServer
-------\Service_CD_Proxy


((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-03-04 19:59 . 2009-03-04 20:00 <DIR> d----c--- C:\32788R22FWJFW
2009-03-01 21:12 . 2009-03-01 21:12 <DIR> d-------- c:\program files\Avira
2009-02-25 20:01 . 2009-02-25 20:01 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-25 20:01 . 2009-02-25 20:01 <DIR> d----c--- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-02-25 20:01 . 2009-02-25 20:01 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 19:59 . 2009-02-25 19:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-24 21:12 . 2009-02-24 21:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 21:12 . 2009-02-24 21:12 <DIR> d----c--- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-24 21:12 . 2009-02-24 21:12 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 21:12 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 21:12 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-24 18:28 . 2009-02-24 18:28 <DIR> d-------- c:\windows\system32\FxsTmp
2009-02-24 18:27 . 2002-08-29 07:00 132,608 --a------ c:\windows\system32\fxsclntR.dll
2009-02-24 18:27 . 2002-08-29 07:00 132,608 --a--c--- c:\windows\system32\dllcache\fxsclntr.dll
2009-02-24 18:27 . 2002-08-29 07:00 111,104 --a------ c:\windows\system32\fxscfgwz.dll
2009-02-24 18:27 . 2002-08-29 07:00 111,104 --a--c--- c:\windows\system32\dllcache\fxscfgwz.dll
2009-02-24 18:27 . 2002-08-29 07:00 31,744 --a------ c:\windows\system32\fxsroute.dll
2009-02-24 18:27 . 2002-08-29 07:00 31,744 --a--c--- c:\windows\system32\dllcache\fxsroute.dll
2009-02-24 18:27 . 2002-08-29 07:00 11,264 --a------ c:\windows\system32\fxssend.exe
2009-02-24 18:27 . 2002-08-29 07:00 11,264 --a--c--- c:\windows\system32\dllcache\fxssend.exe
2009-02-24 18:27 . 2002-08-29 07:00 1,793 --a------ c:\windows\system32\fxsperf.ini
2009-02-24 18:27 . 2002-08-29 07:00 1,361 --a------ c:\windows\system32\fxscount.h
2009-02-22 18:01 . 2009-02-22 18:01 <DIR> d-------- c:\program files\Trend Micro
2009-02-11 12:01 . 2009-02-24 17:54 1,917 --a------ c:\windows\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 22:48 --------- dc----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-02 02:12 --------- dc----w c:\documents and settings\All Users\Application Data\Avira
2009-02-24 23:34 --------- d-----w c:\program files\GameHouse
2009-02-24 23:33 --------- dc----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-24 23:33 --------- d-----w c:\program files\WildTangent
2009-02-10 01:37 --------- d-----w c:\program files\Common Files\AOL
2009-02-10 01:36 --------- d-----w c:\program files\Common Files\Nullsoft
2009-02-07 03:37 --------- d-----w c:\program files\Free Window Registry Repair
2009-02-04 22:13 --------- dc----w c:\documents and settings\Owner\Application Data\RedMercury
2009-02-04 22:11 --------- d-----w c:\program files\RegistryPatrol3.0
2009-01-31 14:16 --------- d-----w c:\program files\LimeWire
2009-01-31 14:14 --------- d-----w c:\program files\Java
2009-01-13 18:43 --------- d-----w c:\program files\Encore
2009-01-13 18:39 --------- d--h--w c:\program files\InstallShield Installation Information
2007-08-04 01:48 530,617 -c--a-w c:\documents and settings\Owner\mvPCinfo-1.50.exe
2007-09-16 06:35 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-25 03:49 426,149 --sh--w c:\windows\speech\rvsrba.bak1
2005-09-26 04:52 425,750 --sh--w c:\windows\speech\rvsrba.bak2
2008-05-11 01:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 241,664 2003-12-22 23:38:42 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

----a-w 49,152 2003-08-21 11:23:08 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe

----a-w 229,952 2006-09-25 18:54:24 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 282,624 2006-09-24 07:24:54 c:\program files\QuickTime\bak\qttask.exe
----a-w 282,624 2008-01-16 04:18:04 c:\program files\QuickTime\qttask.exe

----a-w 52,736 1998-05-08 00:04:38 c:\windows\system\bak\hpsysdrv.exe

----a-w 118,784 2004-08-20 19:51:14 c:\windows\system32\bak\hkcmd.exe

----a-w 483,328 2003-08-21 11:15:48 c:\windows\system32\bak\hphmon05.exe

----a-w 155,648 2004-08-20 19:55:14 c:\windows\system32\bak\igfxtray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-15 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2008-11-22 294912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalUserRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-11-22 297984]
S0 $sys$cor;$sys$cor; [x]
S1 $sys$crater;$sys$crater;\??\c:\windows\System32\$sys$filesystem\crater.sys --> c:\windows\System32\$sys$filesystem\crater.sys [?]
S3 pnicml;pnicml;\??\c:\docume~1\Owner\LOCALS~1\Temp\pnicml.sys --> c:\docume~1\Owner\LOCALS~1\Temp\pnicml.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-05 c:\windows\Tasks\RUTASK.job
- c:\windows\ru.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2B17736A-6F33-4228-840B-453077019E4F} - (no file)
BHO-{a34e5e00-fe62-4318-a2ec-4e16e5f9068d} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: bankatlantic.com\www
Trusted Zone: ebay.com\buy
Trusted Zone: ebay.com\cgi
Trusted Zone: ebay.com\cgi5
Trusted Zone: ebay.com\contact
Trusted Zone: ebay.com\feedback
Trusted Zone: ebay.com\my
Trusted Zone: ebay.com\offer
Trusted Zone: ebay.com\payments
Trusted Zone: ebay.com\search
Trusted Zone: ebay.com\sell
Trusted Zone: ebay.com\signin
Trusted Zone: fimserve.com\deeb.opt
Trusted Zone: fimserve.com\delb.opt
Trusted Zone: fimserve.com\demr.opt
Trusted Zone: fimserve.com\desb.opt
Trusted Zone: fmrserve.com\demr.opt
Trusted Zone: fmrsrve.com\demr.opt
Trusted Zone: google.com\images
Trusted Zone: google.com\www
Trusted Zone: k12.fl.us\sub.pasco
Trusted Zone: lewww.com\www.fusker
Trusted Zone: msplinks.com\www
Trusted Zone: myspace.com
Trusted Zone: myspace.com\blog
Trusted Zone: myspace.com\BRowseusers
Trusted Zone: myspace.com\bulletin
Trusted Zone: myspace.com\collect
Trusted Zone: myspace.com\comment
Trusted Zone: myspace.com\comments
Trusted Zone: myspace.com\demr
Trusted Zone: myspace.com\editprofile
Trusted Zone: myspace.com\home
Trusted Zone: myspace.com\home8
Trusted Zone: myspace.com\login
Trusted Zone: myspace.com\login2
Trusted Zone: myspace.com\mail
Trusted Zone: myspace.com\messaging
Trusted Zone: myspace.com\photo
Trusted Zone: myspace.com\profile
Trusted Zone: myspace.com\profileedit
Trusted Zone: myspace.com\search
Trusted Zone: myspace.com\viewmorepics
Trusted Zone: myspace.com\www
Trusted Zone: paypal.com\www
Trusted Zone: photobucket.com
Trusted Zone: photobucket.com\www
Trusted Zone: yahoo.com\login
Trusted Zone: yahoo.com\us.mc314.mail
Trusted Zone: yahoo.com\www
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 20:10:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
.
**************************************************************************
.
Completion time: 2009-03-04 20:19:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 01:19:34

Pre-Run: 36,514,742,272 bytes free
Post-Run: 36,715,974,656 bytes free

262 --- E O F --- 2009-02-24 21:12:17

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 04 March 2009 - 10:49 PM

Hi diesellady80,

Download FindAWF:
http://noahdfear.geekstogo.com/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 05 March 2009 - 02:59 PM

Hi SifuMike,

Here is the AWF report:



Find AWF report by noahdfear 2006
Version 1.40

The current date is: Thu 03/05/2009
The current time is: 14:53:21.92


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/25/2006 01:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 07:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2004 02:51 PM 118,784 hkcmd.exe
08/21/2003 06:15 AM 483,328 hphmon05.exe
08/20/2004 02:55 PM 155,648 igfxtray.exe
3 File(s) 757,760 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 06:38 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 06:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

116288 May 14 2007 "C:\Program Files\Apple Software Update\Packages\iTunesSetupAdmin.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
282624 Jan 15 2008 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Feb 10 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Feb 10 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxtray.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"


end of report



thank you for sticking with me!! :thumbup2:

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 05 March 2009 - 03:13 PM

Hi diesellady80,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\hphmon05.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 05 March 2009 - 05:08 PM

Ok, I did that exactly. Here is the AWF report:


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Thu 03/05/2009
The current time is: 17:05:20.07


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

09/25/2006 01:54 PM 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/24/2006 02:24 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 07:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/20/2004 02:51 PM 118,784 hkcmd.exe
08/21/2003 06:15 AM 483,328 hphmon05.exe
08/20/2004 02:55 PM 155,648 igfxtray.exe
3 File(s) 757,760 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003 06:38 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 06:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

229952 Sep 25 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
116288 May 14 2007 "C:\Program Files\Apple Software Update\Packages\iTunesSetupAdmin.exe"
229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"
118784 Feb 10 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe"
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 10 2004 "C:\hp\drivers\video_Intel\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxtray.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 05 March 2009 - 07:35 PM

Hi diesellady80,

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important



Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 05 March 2009 - 09:23 PM

Ok thanks! Here is the log:




Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Thu 03/05/2009
The current time is: 21:19:39.78


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:51 AM

Posted 05 March 2009 - 10:37 PM

Hi diesellady80,

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

You need to disable your Avira AntiVir Antivirus before running ComboFix, as it will prevent it from running.

If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/



Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\docume~1\Owner\LOCALS~1\Temp\pnicml.sys

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= ""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000

Driver:: 
pnicml


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 diesellady80

diesellady80
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Shucks Empire
  • Local time:06:51 AM

Posted 06 March 2009 - 04:44 PM

I opened Avira Antivir when combofix restarted the computer, only to disable it. I hope that was ok.



Combofix log:

ComboFix 09-03-04.01 - Owner 2009-03-06 16:24:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.247.81 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\docume~1\Owner\LOCALS~1\Temp\pnicml.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PNICML
-------\Service_pnicml


((((((((((((((((((((((((( Files Created from 2009-02-06 to 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-05 17:05 . 2003-08-21 06:15 483,328 --a------ c:\windows\system32\hphmon05.exe
2009-03-05 17:05 . 2004-08-20 14:55 155,648 --a------ c:\windows\system32\igfxtray.exe
2009-03-05 17:05 . 2004-08-20 14:51 118,784 --a------ c:\windows\system32\hkcmd.exe
2009-03-05 17:05 . 1998-05-07 19:04 52,736 --a------ c:\windows\system\hpsysdrv.exe
2009-03-01 21:12 . 2009-03-01 21:12 <DIR> d-------- c:\program files\Avira
2009-02-25 20:01 . 2009-02-25 20:01 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-25 20:01 . 2009-02-25 20:01 <DIR> d----c--- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-02-25 20:01 . 2009-02-25 20:01 <DIR> d----c--- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-25 19:59 . 2009-02-25 19:59 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-24 21:12 . 2009-02-24 21:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-24 21:12 . 2009-02-24 21:12 <DIR> d----c--- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-24 21:12 . 2009-02-24 21:12 <DIR> d----c--- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-24 21:12 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-24 21:12 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-24 18:28 . 2009-02-24 18:28 <DIR> d-------- c:\windows\system32\FxsTmp
2009-02-24 18:27 . 2002-08-29 07:00 132,608 --a------ c:\windows\system32\fxsclntR.dll
2009-02-24 18:27 . 2002-08-29 07:00 132,608 --a--c--- c:\windows\system32\dllcache\fxsclntr.dll
2009-02-24 18:27 . 2002-08-29 07:00 111,104 --a------ c:\windows\system32\fxscfgwz.dll
2009-02-24 18:27 . 2002-08-29 07:00 111,104 --a--c--- c:\windows\system32\dllcache\fxscfgwz.dll
2009-02-24 18:27 . 2002-08-29 07:00 31,744 --a------ c:\windows\system32\fxsroute.dll
2009-02-24 18:27 . 2002-08-29 07:00 31,744 --a--c--- c:\windows\system32\dllcache\fxsroute.dll
2009-02-24 18:27 . 2002-08-29 07:00 11,264 --a------ c:\windows\system32\fxssend.exe
2009-02-24 18:27 . 2002-08-29 07:00 11,264 --a--c--- c:\windows\system32\dllcache\fxssend.exe
2009-02-24 18:27 . 2002-08-29 07:00 1,793 --a------ c:\windows\system32\fxsperf.ini
2009-02-24 18:27 . 2002-08-29 07:00 1,361 --a------ c:\windows\system32\fxscount.h
2009-02-22 18:01 . 2009-02-22 18:01 <DIR> d-------- c:\program files\Trend Micro
2009-02-11 12:01 . 2009-02-24 17:54 1,917 --a------ c:\windows\imsins.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 02:19 --------- d-----w c:\program files\QuickTime
2009-03-06 02:19 --------- d-----w c:\program files\iTunes
2009-03-05 23:48 --------- dc----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-02 02:12 --------- dc----w c:\documents and settings\All Users\Application Data\Avira
2009-02-24 23:34 --------- d-----w c:\program files\GameHouse
2009-02-24 23:33 --------- dc----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-24 23:33 --------- d-----w c:\program files\WildTangent
2009-02-10 01:37 --------- d-----w c:\program files\Common Files\AOL
2009-02-10 01:36 --------- d-----w c:\program files\Common Files\Nullsoft
2009-02-07 03:37 --------- d-----w c:\program files\Free Window Registry Repair
2009-02-04 22:13 --------- dc----w c:\documents and settings\Owner\Application Data\RedMercury
2009-02-04 22:11 --------- d-----w c:\program files\RegistryPatrol3.0
2009-01-31 14:16 --------- d-----w c:\program files\LimeWire
2009-01-31 14:14 --------- d-----w c:\program files\Java
2009-01-13 18:43 --------- d-----w c:\program files\Encore
2009-01-13 18:39 --------- d--h--w c:\program files\InstallShield Installation Information
2007-08-04 01:48 530,617 -c--a-w c:\documents and settings\Owner\mvPCinfo-1.50.exe
2007-09-16 06:35 66,408 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-09-16 06:35 54,112 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-09-16 06:35 34,688 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-09-16 06:35 46,456 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-09-16 06:35 171,880 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2005-09-25 03:49 426,149 --sh--w c:\windows\speech\rvsrba.bak1
2005-09-26 04:52 425,750 --sh--w c:\windows\speech\rvsrba.bak2
2008-05-11 01:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008051020080511\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-04_20.16.03.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-05 21:25:09 65,536 ----a-r c:\windows\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe
+ 2009-03-06 21:31:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-31 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G Configuration Utility.lnk - c:\program files\D-Link AirPlus G\AirPlus.exe [2008-11-22 294912]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalUserRun"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]
R3 W8100PCI;D-Link AirPlus G Wireless Driver;c:\windows\system32\drivers\MRV8K51.sys [2008-11-22 297984]
S0 $sys$cor;$sys$cor; [x]
S1 $sys$crater;$sys$crater;\??\c:\windows\System32\$sys$filesystem\crater.sys --> c:\windows\System32\$sys$filesystem\crater.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-06 c:\windows\Tasks\RUTASK.job
- c:\windows\ru.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 16:32:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-03-06 16:40:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-06 21:39:54
ComboFix2.txt 2009-03-05 01:19:43

Pre-Run: 36,327,034,880 bytes free
Post-Run: 36,413,353,984 bytes free

170 --- E O F --- 2009-02-24 21:12:17












HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:42:18 PM, on 3/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\D-Link AirPlus G\AirPlus.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02A2D714-433E-46E4-B217-7C3B3FAF8EAE} (ScrabbleCubes Control) - http://www.worldwinner.com/games/v46/scrab...rabblecubes.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46/share...GamesLoader.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v50/pool/pool.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo2.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://www.worldwinner.com/games/v49/blockwerx/blockwerx.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://www.worldwinner.com/games/v41/freecell/freecell.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1178583255171
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v46/wordmojo/wordmojo.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinner.com/games/v57/cubis/cubis.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v41/hangman/hangman.cab
O16 - DPF: {C93C1C34-CEA9-49B1-9046-040F59E0E0D8} (Paint Control) - http://www.worldwinner.com/games/v43/paint/paint.cab
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHos...ronGameHost.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.11.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/S=96062883/K=shooting...her_gun_006.jpg
O24 - Desktop Component 1: (no name) - http://photobucket.com/albums/b200/diesell...th_7263a0b5.gif

--
End of file - 8884 bytes






Thank you always :thumbup2:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users