Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Popups, browser/computer running slow


  • This topic is locked This topic is locked
26 replies to this topic

#1 ArmyNGWife

ArmyNGWife

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 28 March 2009 - 09:13 AM

A few weeks ago I had trouble with "Spyware Protect 2009" popping up, but I managed to find out what to delete on my own for that. But, once I got rid of that, I started getting a lot of different popups from my browser. I primarily use FireFox. Even without Internet Explorer open, I get popups with FireFox and IE. A lot of times the popups seem to be about downloaded spyware removal software. Other times the popups are related to Web sites I'm browsing or Google searches I've done. For example, I was searching for jobs yesterday and I kept getting popups for other job search sites.

Sometimes with all the popups my FireFox will freeze, and occasionally so does my whole computer.

I had downloaded Spybot Search & Destroy and have run it several times since getting my "Spyware Protect 2009" problem, but it hasn't fixed anything, even though it has told me each time that it has found things and fixed them.

I've also recently been getting a popup (not from a browser) titled "Auto-Protection Results" that will list several items named "Trojan.Vundo" and wants to remove them. I don't know what this is from, so I haven't told it to do anything.

I hope I have given you enough information to help! Below is my DDS log, and I do have the attach file if needed later.

Thanks!!
Sandy




DDS (Ver_09-03-16.01) - NTFSx86
Run by Sandy at 21:53:21.38 on Fri 03/27/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1091 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\Wintab32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sandy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [rundll32.exe] rundll32.exe "c:\documents and settings\sandy\application data\macromedia\common\40dfc00c1.dll""
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRunOnce: [SpybotDeletingB7783] command.com /c del "c:\windows\system32\fuwojake.dll_old"
uRunOnce: [SpybotDeletingD7] cmd.exe /c del "c:\windows\system32\fuwojake.dll_old"
uRunOnce: [SpybotDeletingB5722] command.com /c del "c:\windows\system32\neyiwafu.dll_old"
uRunOnce: [SpybotDeletingD6941] cmd.exe /c del "c:\windows\system32\neyiwafu.dll_old"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus

Photo R200"
mRun: [QMessenger] c:\program files\q messenger\QMessenger.exe
mRun: [Auto EPSON Stylus Photo R200 Series on BRIAN] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "auto epson stylus photo r200 series on

brian" /o13 "\\brian\EPSON" /M "Stylus Photo R200"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [\QMSGR-BRIAN\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "\\qmsgr-brian\EPSON Stylus Photo R200

Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [tamepohupe] Rundll32.exe "c:\windows\system32\vuzofafu.dll",s
mRun: [Mxilogeh] rundll32.exe "c:\windows\Inaseyuva.dll",e
mRun: [Vdowivajiyuhax] rundll32.exe "c:\windows\uvixixoy.dll",e
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CPM17bd551c] Rundll32.exe "c:\windows\system32\fuwojake.dll",a
mRun: [148e6680] rundll32.exe "c:\windows\system32\neyiwafu.dll",b
mRunOnce: [SpybotDeletingA7634] command.com /c del "c:\windows\system32\fuwojake.dll_old"
mRunOnce: [SpybotDeletingC37] cmd.exe /c del "c:\windows\system32\fuwojake.dll_old"
mRunOnce: [SpybotDeletingA310] command.com /c del "c:\windows\system32\neyiwafu.dll_old"
mRunOnce: [SpybotDeletingC9892] cmd.exe /c del "c:\windows\system32\neyiwafu.dll_old"
dRun: [rundll32.exe] rundll32.exe "c:\documents and settings\sandy\application data\macromedia\common\40dfc00c1.dll""
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel\g-200v2\G-200.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Zend Studio - Debug current page - c:\program files\zend\zendstudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\zend\zendstudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} - c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179726536781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179729706484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: fipbma.dll xbhulm.dll c:\windows\system32\fuwojake.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fuwojake.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fuwojake.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandy\applic~1\mozilla\firefox\profiles\py1jcv9w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {9F3AAE93-1799-41EE-9B30-84AB2E2A4FA5} - c:\documents and settings\sandy\local settings\application

data\{9F3AAE93-1799-41EE-9B30-84AB2E2A4FA5}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-29 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\naveng.sys [2009-3-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\navex15.sys [2009-3-27 876144]
R3 Wtcls2k;Wtcls2k;c:\windows\system32\drivers\wtcls2k.sys [2009-3-25 13824]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 W2kbhid;KBGear Tablet (USB);c:\windows\system32\drivers\w2kbhid.sys [2009-3-25 23552]
S3 ZD1211U(ZyXEL);ZyXEL G-200v2 802.11b/g Wireless USB Adapter(ZyXEL);c:\windows\system32\drivers\zd1211u.sys --> c:\windows\system32\drivers\zd1211u.sys [?]

=============== Created Last 30 ================

2009-03-25 15:39 816 a------- c:\windows\WINTAB.INI
2009-03-25 15:39 13,824 a------- c:\windows\system32\drivers\wtcls2k.sys
2009-03-25 15:39 173,568 a------- c:\windows\system32\kbjam.cpl
2009-03-25 15:39 110,592 a------- c:\windows\system32\wintab32.exe
2009-03-25 15:39 65,536 a------- c:\windows\system32\wintab32.dll
2009-03-25 15:39 28,992 a------- c:\windows\system32\wintab.dll
2009-03-25 15:39 23,552 a------- c:\windows\system32\drivers\w2kbhid.sys
2009-03-25 15:39 <DIR> --d----- c:\windows\KBGear
2009-03-25 15:37 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-03-25 15:37 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-03-15 20:26 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-15 20:26 1,409 a------- c:\windows\QTFont.for
2009-03-07 08:47 1,813,351 ---sh--- c:\windows\system32\ufawiyen.tmp
2009-03-07 08:43 46,640 a------- c:\windows\system32\msln.exe
2009-03-06 14:02 141,312 -------- c:\windows\system32\xbhulm.dll
2009-03-06 02:16 142,336 a--sh--- c:\windows\system32\xgozfg.dll
2009-03-05 13:56 143,360 a--sh--- c:\windows\system32\rkvtxp.dll
2009-03-05 01:55 142,336 a--sh--- c:\windows\system32\swojvb.dll
2009-03-04 13:55 141,312 a--sh--- c:\windows\system32\mdzhwn.dll
2009-03-04 01:54 142,848 a--sh--- c:\windows\system32\mndcwo.dll
2009-03-03 13:54 142,848 -------- c:\windows\system32\fipbma.dll
2009-03-03 12:55 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-03 12:54 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-03 01:53 141,824 a--sh--- c:\windows\system32\cjivzn.dll
2009-03-02 16:27 326 a------- c:\windows\wininit.ini
2009-03-02 14:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-02 14:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-02 13:53 142,848 a--sh--- c:\windows\system32\wwnfef.dll

==================== Find3M ====================

2009-03-06 14:02 141,312 a--sh--- c:\windows\system32\sekelumo.dll
2009-03-06 02:16 102,912 -------- c:\windows\system32\beyerite.dll
2009-03-06 02:16 142,336 a--sh--- c:\windows\system32\rilegopi.dll
2009-03-06 02:16 107,520 a--sh--- c:\windows\system32\kajazevi.dll
2009-03-05 13:56 102,400 -------- c:\windows\system32\wohozedo.dll
2009-03-05 13:56 143,360 a--sh--- c:\windows\system32\logikema.dll
2009-03-05 13:56 107,008 a--sh--- c:\windows\system32\jipowoza.dll
2009-03-05 01:55 101,888 -------- c:\windows\system32\wapizime.dll
2009-03-05 01:55 142,336 a--sh--- c:\windows\system32\keloresu.dll
2009-03-05 01:55 108,032 a--sh--- c:\windows\system32\kerebuna.dll
2009-03-04 13:55 141,312 a--sh--- c:\windows\system32\biwitivo.dll
2009-03-04 13:55 105,984 a--sh--- c:\windows\system32\faboyobo.dll
2009-03-04 01:54 103,424 -------- c:\windows\system32\pusupuro.dll
2009-03-04 01:54 107,520 a--sh--- c:\windows\system32\butazaji.dll
2009-03-04 01:54 142,848 a--sh--- c:\windows\system32\veyigafa.dll
2009-03-03 13:54 103,936 -------- c:\windows\system32\jomuhivo.dll
2009-03-03 13:54 142,848 a--sh--- c:\windows\system32\jiweyiyi.dll
2009-03-03 13:54 109,056 a--sh--- c:\windows\system32\fomegozu.dll
2009-03-03 01:53 141,824 a--sh--- c:\windows\system32\timijapu.dll
2009-03-02 13:53 142,848 a--sh--- c:\windows\system32\zogezali.dll
2009-02-11 15:31 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-09-21 09:59 256 a------- c:\documents and settings\sandy\pool.bin
2007-10-22 17:17 774,144 a------- c:\program files\RngInterstitial.dll
2008-10-11 19:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 21:54:52.88 ===============

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 AM

Posted 29 March 2009 - 09:41 AM

Hello ArmyNGWife,

Welcome to Bleeping Computer.

Sorry for delayed response. Forums have been really busy. :thumbup2:

My name is fireman4it and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.

Please make no further changes or run any other tools unless instructed to. This may hinder the cleaning of your machine.

1.
Please post a new DDS log for my review. Malware constantly changes therefore I need an updated log.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 29 March 2009 - 09:48 PM

Ok, I restarted my computer, and when I did it said Symantec Antivirus was cleaning up something before it loaded Windows and then it restarted again. When Windows loaded I got several errors:

Four followed this format, though I did not get all of the filenames because they froze up on me and I couldn't see the text anymore:

"Error loading c:\WINDOWS\Inaseyuva.dll
The specified module could not be found."

Another one's file location was in c:\WINDOWS\system32, but I couldn't get the filename. None of them were anything I recognized.

A final error was:

"rundll32.exe - Bad Image

The application or DLL c:\Documents and Settings\..\Application Data\Macromedia\Common\40dfc00c1.dll is not a valid Windows image. Please check this against your installation diskette."


Once I got all that cleared away, I ran the DDS. Here is my new log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by Sandy at 21:39:51.81 on Sun 03/29/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1777 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ZyXEL\G-200v2\G-200.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\Sandy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: Zend Studio: {95188727-288f-4581-a48d-eab3bd027314} - c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [rundll32.exe] rundll32.exe "c:\documents and settings\sandy\application data\macromedia\common\40dfc00c1.dll""
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus

Photo R200"
mRun: [QMessenger] c:\program files\q messenger\QMessenger.exe
mRun: [Auto EPSON Stylus Photo R200 Series on BRIAN] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "auto epson stylus photo r200 series on

brian" /o13 "\\brian\EPSON" /M "Stylus Photo R200"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [\QMSGR-BRIAN\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "\\qmsgr-brian\EPSON Stylus Photo R200

Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [tamepohupe] Rundll32.exe "c:\windows\system32\vuzofafu.dll",s
mRun: [Mxilogeh] rundll32.exe "c:\windows\Inaseyuva.dll",e
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CPM17bd551c] Rundll32.exe "c:\windows\system32\fuwojake.dll",a
mRun: [148e6680] rundll32.exe "c:\windows\system32\neyiwafu.dll",b
dRun: [rundll32.exe] rundll32.exe "c:\documents and settings\sandy\application data\macromedia\common\40dfc00c1.dll""
uExplorerRun: [svcho] c:\windows\svcho.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zyxelg~1.lnk - c:\program files\zyxel\g-200v2\G-200.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Zend Studio - Debug current page - c:\program files\zend\zendstudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\zend\zendstudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} - c:\progra~1\zend\zendst~1.0\bin\ZENDIE~1.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1179726536781
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1179729706484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: fipbma.dll xbhulm.dll c:\windows\system32\fuwojake.dll,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fuwojake.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fuwojake.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sandy\applic~1\mozilla\firefox\profiles\py1jcv9w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\daemon tools toolbar\firefoxdtt\components\DTToolbarFF.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {9F3AAE93-1799-41EE-9B30-84AB2E2A4FA5} - c:\documents and settings\sandy\local settings\application

data\{9F3AAE93-1799-41EE-9B30-84AB2E2A4FA5}

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-29 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-27 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\naveng.sys [2009-3-27 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090327.005\navex15.sys [2009-3-27 876144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 W2kbhid;KBGear Tablet (USB);c:\windows\system32\drivers\w2kbhid.sys [2009-3-25 23552]
S3 Wtcls2k;Wtcls2k;c:\windows\system32\drivers\wtcls2k.sys [2009-3-25 13824]
S3 ZD1211U(ZyXEL);ZyXEL G-200v2 802.11b/g Wireless USB Adapter(ZyXEL);c:\windows\system32\drivers\zd1211u.sys --> c:\windows\system32\drivers\zd1211u.sys [?]

=============== Created Last 30 ================

2009-03-27 23:23 3,553,520 ---sh--- c:\windows\system32\ufawiyen.ini2
2009-03-25 15:39 816 a------- c:\windows\WINTAB.INI
2009-03-25 15:39 13,824 a------- c:\windows\system32\drivers\wtcls2k.sys
2009-03-25 15:39 173,568 a------- c:\windows\system32\kbjam.cpl
2009-03-25 15:39 110,592 a------- c:\windows\system32\wintab32.exe
2009-03-25 15:39 65,536 a------- c:\windows\system32\wintab32.dll
2009-03-25 15:39 28,992 a------- c:\windows\system32\wintab.dll
2009-03-25 15:39 23,552 a------- c:\windows\system32\drivers\w2kbhid.sys
2009-03-25 15:39 <DIR> --d----- c:\windows\KBGear
2009-03-25 15:37 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-03-25 15:37 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-03-15 20:26 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-15 20:26 1,409 a------- c:\windows\QTFont.for
2009-03-07 08:47 1,813,351 ---sh--- c:\windows\system32\ufawiyen.tmp
2009-03-06 02:16 142,336 a--sh--- c:\windows\system32\xgozfg.dll
2009-03-05 13:56 143,360 a--sh--- c:\windows\system32\rkvtxp.dll
2009-03-05 01:55 142,336 a--sh--- c:\windows\system32\swojvb.dll
2009-03-04 13:55 141,312 a--sh--- c:\windows\system32\mdzhwn.dll
2009-03-04 01:54 142,848 a--sh--- c:\windows\system32\mndcwo.dll
2009-03-03 12:55 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-03 12:54 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-03 01:53 141,824 a--sh--- c:\windows\system32\cjivzn.dll
2009-03-02 16:27 326 a------- c:\windows\wininit.ini
2009-03-02 14:30 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-02 14:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-02 13:53 142,848 a--sh--- c:\windows\system32\wwnfef.dll

==================== Find3M ====================

2009-03-06 14:02 141,312 a--sh--- c:\windows\system32\sekelumo.dll
2009-03-06 02:16 102,912 -------- c:\windows\system32\beyerite.dll
2009-03-06 02:16 142,336 a--sh--- c:\windows\system32\rilegopi.dll
2009-03-06 02:16 107,520 a--sh--- c:\windows\system32\kajazevi.dll
2009-03-05 13:56 102,400 -------- c:\windows\system32\wohozedo.dll
2009-03-05 13:56 143,360 a--sh--- c:\windows\system32\logikema.dll
2009-03-05 13:56 107,008 a--sh--- c:\windows\system32\jipowoza.dll
2009-03-05 01:55 101,888 -------- c:\windows\system32\wapizime.dll
2009-03-05 01:55 142,336 a--sh--- c:\windows\system32\keloresu.dll
2009-03-05 01:55 108,032 a--sh--- c:\windows\system32\kerebuna.dll
2009-03-04 13:55 141,312 a--sh--- c:\windows\system32\biwitivo.dll
2009-03-04 13:55 105,984 a--sh--- c:\windows\system32\faboyobo.dll
2009-03-04 01:54 103,424 -------- c:\windows\system32\pusupuro.dll
2009-03-04 01:54 107,520 a--sh--- c:\windows\system32\butazaji.dll
2009-03-04 01:54 142,848 a--sh--- c:\windows\system32\veyigafa.dll
2009-03-03 13:54 103,936 -------- c:\windows\system32\jomuhivo.dll
2009-03-03 13:54 142,848 a--sh--- c:\windows\system32\jiweyiyi.dll
2009-03-03 13:54 109,056 a--sh--- c:\windows\system32\fomegozu.dll
2009-03-03 01:53 141,824 a--sh--- c:\windows\system32\timijapu.dll
2009-03-02 13:53 142,848 a--sh--- c:\windows\system32\zogezali.dll
2009-02-11 15:31 717,296 a------- c:\windows\system32\drivers\sptd.sys
2008-09-21 09:59 256 a------- c:\documents and settings\sandy\pool.bin
2007-10-22 17:17 774,144 a------- c:\program files\RngInterstitial.dll
2008-10-11 19:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008101120081012\index.dat

============= FINISH: 21:40:46.35 ===============


Thanks for your help!
Sandy

#4 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 29 March 2009 - 09:50 PM

Just glancing over the log, these two files were a couple of those errors I mentioned:

"c:\windows\system32\fuwojake.dll"
"c:\windows\system32\neyiwafu.dll"

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 AM

Posted 30 March 2009 - 02:33 PM

Hello ArmyNGWife,

Be advised just because your computer seems to be running better does not mean it is clean. I will let you know when you are all clean.
Please follow all directions given. If you have any problems with any directions given stop and reply back telling me your problem. Failure to do so could cause non repairable damage to your machine.

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
2
Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply:
  • Combofix.txt
  • A New HiJackThis report not a DDS log
  • How is your computer running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 31 March 2009 - 01:41 PM

I ran ComboFix as instructed. I don't seem to be getting any popups now. I even did another Google search for jobs and opened a bunch of sites I had gone to before and I never got any popups!!

However, when ComboFix restarted my computer, those same errors popped up about those DLLs, and again I wasn't able to write them down...

Thanks for all the help!!
Sandy


Here are my logs:

ComboFix Log:

ComboFix 09-03-30.04 - Sandy 2009-03-31 13:09:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1833 [GMT -5:00]
Running from: c:\documents and settings\Sandy\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\beyerite.dll
c:\windows\system32\biwitivo.dll
c:\windows\system32\butazaji.dll
c:\windows\system32\cjivzn.dll
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common
c:\windows\system32\config\systemprofile\Application Data\Macromedia\Common\40dfc00c1.dll
c:\windows\system32\faboyobo.dll
c:\windows\system32\fomegozu.dll
c:\windows\system32\jipowoza.dll
c:\windows\system32\jiweyiyi.dll
c:\windows\system32\jomuhivo.dll
c:\windows\system32\kajazevi.dll
c:\windows\system32\keloresu.dll
c:\windows\system32\kerebuna.dll
c:\windows\system32\logikema.dll
c:\windows\system32\mdzhwn.dll
c:\windows\system32\mndcwo.dll
c:\windows\system32\pusupuro.dll
c:\windows\system32\rilegopi.dll
c:\windows\system32\rkvtxp.dll
c:\windows\system32\sekelumo.dll
c:\windows\system32\swojvb.dll
c:\windows\system32\timijapu.dll
c:\windows\system32\ufawiyen.ini2
c:\windows\system32\ufawiyen.tmp
c:\windows\system32\veyigafa.dll
c:\windows\system32\wapizime.dll
c:\windows\system32\wohozedo.dll
c:\windows\system32\wwnfef.dll
c:\windows\system32\xgozfg.dll
c:\windows\system32\zogezali.dll
J:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://www.qmessenger.com
.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-31 )))))))))))))))))))))))))))))))
.

2009-03-29 22:16 . 2009-03-29 22:16 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-29 22:16 . 2009-03-29 22:16 1,409 --a------ c:\windows\QTFont.for
2009-03-25 15:39 . 2009-03-25 15:50 <DIR> d-------- c:\windows\KBGear
2009-03-25 15:39 . 2000-12-15 01:21 173,568 --a------ c:\windows\system32\kbjam.cpl
2009-03-25 15:39 . 2000-12-15 01:21 110,592 --a------ c:\windows\system32\wintab32.exe
2009-03-25 15:39 . 2000-12-15 01:21 65,536 --a------ c:\windows\system32\wintab32.dll
2009-03-25 15:39 . 2000-12-15 01:21 28,992 --a------ c:\windows\system32\wintab.dll
2009-03-25 15:39 . 2000-12-15 01:21 23,552 --a------ c:\windows\system32\drivers\w2kbhid.sys
2009-03-25 15:39 . 2000-12-15 01:21 13,824 --a------ c:\windows\system32\drivers\wtcls2k.sys
2009-03-25 15:39 . 2009-03-25 15:50 816 --a------ c:\windows\WINTAB.INI
2009-03-25 15:37 . 2008-04-13 13:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-03-25 15:37 . 2008-04-13 13:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-03-03 12:55 . 2009-03-03 13:06 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-03 12:55 . 2009-03-03 13:05 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 12:54 . 2009-03-03 13:06 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-02 16:27 . 2009-03-27 11:22 326 --a------ c:\windows\wininit.ini
2009-03-02 14:30 . 2009-03-27 09:28 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-02 14:30 . 2009-03-03 12:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-01 12:07 . 2009-03-01 12:07 <DIR> d-------- c:\documents and settings\Sandy\Application Data\Alien Skin
2009-02-11 15:38 . 2009-02-11 15:38 <DIR> d-------- c:\program files\Maxis
2009-02-11 15:37 . 2009-02-11 15:37 <DIR> d-------- c:\documents and settings\Sandy\Application Data\DAEMON Tools Pro
2009-02-11 15:37 . 2009-02-11 15:37 <DIR> d-------- c:\documents and settings\Sandy\Application Data\DAEMON Tools
2009-02-11 15:36 . 2009-02-11 15:36 <DIR> d-------- c:\program files\DAEMON Tools Toolbar
2009-02-11 15:36 . 2009-02-11 15:36 <DIR> d-------- c:\program files\DAEMON Tools Lite
2009-02-11 15:36 . 2009-02-11 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-11 15:31 . 2009-02-11 15:38 <DIR> d-------- c:\documents and settings\Sandy\Application Data\DAEMON Tools Lite
2009-02-11 15:31 . 2009-02-11 15:31 717,296 --a------ c:\windows\system32\drivers\sptd.sys
2009-02-10 23:33 . 2009-02-10 23:33 <DIR> d-------- c:\program files\ZyXEL
2009-02-10 23:33 . 2004-03-19 17:43 1,155,163 --a------ c:\windows\system32\odSupp_M.dll
2009-02-10 23:33 . 2003-10-29 19:55 86,016 --a------ c:\windows\system32\ZDN50.dll
2009-02-10 23:33 . 2004-01-14 12:25 81,920 --a------ c:\windows\system32\ZDPN50.dll
2009-02-10 23:33 . 2003-09-01 14:34 61,440 --a------ c:\windows\system32\ZDTRLib.DLL
2009-02-10 23:33 . 2004-07-01 18:37 57,344 --a------ c:\windows\system32\ZD12APP.dll
2009-02-10 23:33 . 2005-01-19 15:39 45,056 --a------ c:\windows\system32\ZDWlan.dll
2009-02-10 23:33 . 2003-08-13 13:28 40,960 --a------ c:\windows\system32\PassAPP.dll
2009-02-10 23:33 . 2005-04-11 13:27 36,867 --a------ c:\windows\system32\ZySecurity.dll
2009-02-10 23:33 . 2004-03-23 17:38 28,672 --a------ c:\windows\system32\InsDrvZD.dll
2009-02-10 23:33 . 2003-03-14 13:24 24,576 --a------ c:\windows\system32\ZyDelReg.exe
2009-02-10 23:33 . 2004-01-14 12:30 17,151 --a------ c:\windows\system32\ZDPNDIS5.sys
2009-02-10 23:33 . 2003-10-29 20:01 15,872 --a------ c:\windows\system32\ZDNDIS5.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-31 18:13 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-31 18:01 --------- d-----w c:\documents and settings\Sandy\Application Data\FileZilla
2009-03-25 14:42 --------- d-----w c:\program files\Common Files\Adobe
2009-03-19 01:36 --------- d-----w c:\documents and settings\Sandy\Application Data\uTorrent
2009-03-03 18:07 --------- d-----w c:\program files\NCH Swift Sound
2009-03-03 18:04 --------- d-----w c:\program files\MediaCoder
2009-02-11 04:33 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-21 14:59 256 ----a-w c:\documents and settings\Sandy\pool.bin
2007-10-22 22:17 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-10-12 00:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101120081012\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]
"rundll32.exe"="c:\documents and settings\Sandy\Application Data\Macromedia\Common\40dfc00c1.dll" [2009-03-06 4]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Auto EPSON Stylus Photo R200 Series on BRIAN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"\QMSGR-BRIAN\EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-03 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-04 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-200 Utility.lnk - c:\program files\ZyXEL\G-200v2\G-200.exe [2009-02-10 1605632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"midi1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"mixer1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"aux1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"wave2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"midi2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"mixer2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"aux2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Documents and Settings\\Sandy\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Zend\\ZendStudio-5.5.0\\jre\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"d:\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-29 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 W2kbhid;KBGear Tablet (USB);c:\windows\system32\drivers\w2kbhid.sys [2009-03-25 23552]
S3 Wtcls2k;Wtcls2k;c:\windows\system32\drivers\wtcls2k.sys [2009-03-25 13824]
S3 ZD1211U(ZyXEL);ZyXEL G-200v2 802.11b/g Wireless USB Adapter(ZyXEL);c:\windows\system32\DRIVERS\zd1211u.sys --> c:\windows\system32\DRIVERS\zd1211u.sys [?]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
HKLM-Run-QMessenger - c:\program files\Q Messenger\QMessenger.exe
HKLM-Run-tamepohupe - c:\windows\system32\vuzofafu.dll
HKLM-Run-Mxilogeh - c:\windows\Inaseyuva.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Zend Studio - Debug current page - c:\program files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
FF - ProfilePath - c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\py1jcv9w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-31 13:13:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\wintab32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Java\jre1.6.0_05\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-03-31 13:18:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-31 18:18:48

Pre-Run: 5,534,826,496 bytes free
Post-Run: 5,548,834,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

283 --- E O F --- 2009-02-26 09:00:49



HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:27 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\Wintab32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ZyXEL\G-200v2\G-200.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Sandy\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on BRIAN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on BRIAN" /O13 "\\BRIAN\EPSON" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [\QMSGR-BRIAN\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "\\QMSGR-BRIAN\EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "C:\Documents and Settings\Sandy\Application Data\Macromedia\Common\40dfc00c1.dll""
O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - Global Startup: ZyXEL G-200 Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179726536781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179729706484
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\system32\Wintab32.exe

--
End of file - 10435 bytes

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 AM

Posted 31 March 2009 - 08:36 PM

Hello ArmyNGWife,

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 AM

Posted 02 April 2009 - 08:22 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 02 April 2009 - 01:25 PM

Sorry for the delay in response. I'm a Web programmer & work from home, so cutting my computer off the Internet and not being able to use it for a while is hard!

Here is my gmer log:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-02 13:16:48
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8A655AD8 ZwAlertResumeThread
SSDT 8A655FD0 ZwAlertThread
SSDT 8A627738 ZwAllocateVirtualMemory
SSDT 8A6EB5B0 ZwConnectPort
SSDT spbp.sys ZwCreateKey [0xB9EA80E0]
SSDT 8A655620 ZwCreateMutant
SSDT 8A628738 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA85A9350]
SSDT spbp.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spbp.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT 8A65E2A0 ZwFreeVirtualMemory
SSDT 8A6557B8 ZwImpersonateAnonymousToken
SSDT 8A655950 ZwImpersonateThread
SSDT 8A627228 ZwMapViewOfSection
SSDT 8A6554A8 ZwOpenEvent
SSDT spbp.sys ZwOpenKey [0xB9EA80C0]
SSDT 8A65E2D8 ZwOpenProcessToken
SSDT 8A66D110 ZwOpenThreadToken
SSDT spbp.sys ZwQueryKey [0xB9EC7108]
SSDT 8A72DCA8 ZwQueryValueKey
SSDT 8A6650D8 ZwResumeThread
SSDT 8A66D0D8 ZwSetContextThread
SSDT 8A699C58 ZwSetInformationProcess
SSDT 8A65AD50 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA85A9580]
SSDT 8A655328 ZwSuspendProcess
SSDT 8A65AA60 ZwSuspendThread
SSDT 8A7110D8 ZwTerminateProcess
SSDT 8A65ABD8 ZwTerminateThread
SSDT 8A699C90 ZwUnmapViewOfSection
SSDT 8A67ACD0 ZwWriteVirtualMemory

INT 0x62 ? 8A92CBF8
INT 0x63 ? 8A6DABF8
INT 0x73 ? 8A6DABF8
INT 0xA4 ? 8A6DABF8
INT 0xB4 ? 8A92CBF8
INT 0xB4 ? 8A92CBF8
INT 0xB4 ? 8A6DABF8
INT 0xB4 ? 8A92CBF8

---- Kernel code sections - GMER 1.0.15 ----

? spbp.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B916F8AC 5 Bytes JMP 8A6DA1D8
.text abw9h7hs.SYS B90C4386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text abw9h7hs.SYS B90C43AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text abw9h7hs.SYS B90C43C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text abw9h7hs.SYS B90C43C9 1 Byte [2E]
.text abw9h7hs.SYS B90C43C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spbp.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spbp.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spbp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spbp.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spbp.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spbp.sys
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\abw9h7hs.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A92A1F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom 8A2A4500

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBPDO-0 8A6D91F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A92D1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A92D1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A92D1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A92D1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A6D91F8
Device \Driver\usbuhci \Device\USBPDO-2 8A6D91F8
Device \Driver\usbuhci \Device\USBPDO-3 8A6D91F8
Device \Driver\usbehci \Device\USBPDO-4 8A6AC1F8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A92E1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A92E1F8
Device \Driver\Cdrom \Device\CdRom0 8A69D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A92E1F8
Device \Driver\Cdrom \Device\CdRom1 8A69D1F8
Device \Driver\usbstor \Device\00000081 8A2ED368
Device \Driver\sptd \Device\806563924 spbp.sys
Device \Driver\usbstor \Device\00000076 8A2ED368
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A63F500
Device \Driver\usbstor \Device\00000078 8A2ED368
Device \Driver\NetBT \Device\NetbiosSmb 8A63F500
Device \Driver\usbstor \Device\00000079 8A2ED368
Device \Driver\PCI_PNP0174 \Device\0000004c spbp.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 8A6D91F8
Device \Driver\usbstor \Device\0000007a 8A2ED368
Device \Driver\usbuhci \Device\USBFDO-1 8A6D91F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{C115814E-3DC5-4532-9E09-D5786D1E3B5E} 8A63F500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A6321F8
Device \Driver\usbstor \Device\0000007b 8A2ED368
Device \Driver\usbuhci \Device\USBFDO-2 8A6D91F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A6321F8
Device \Driver\usbstor \Device\0000007c 8A2ED368
Device \Driver\usbuhci \Device\USBFDO-3 8A6D91F8
Device \Driver\usbehci \Device\USBFDO-4 8A6AC1F8
Device \Driver\Ftdisk \Device\FtControl 8A92E1F8
Device \Driver\abw9h7hs \Device\Scsi\abw9h7hs1Port4Path0Target0Lun0 8A6781F8
Device \Driver\abw9h7hs \Device\Scsi\abw9h7hs1 8A6781F8
Device \FileSystem\Fastfat \Fat 8A2A4500

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8A4731F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6A 0x93 0xE0 0x7E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x14 0x22 0xC5 0xAD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE0 0x06 0x6E 0x38 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x6A 0x93 0xE0 0x7E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x14 0x22 0xC5 0xAD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE0 0x06 0x6E 0x38 ...

---- EOF - GMER 1.0.15 ----

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 AM

Posted 05 April 2009 - 10:58 AM

Hello ArmyNGWife,

Sorry for the delayed response.

With malware being how it is today we need to install a "Recovery Console" to your hard drive.
This will give you the option of recovering from damage done by malware or malware removal.

1.
With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it to your Desktop as it's originally named.

---------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Posted Image
  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

    Posted Image
  • At the next prompt, click 'No' to run the full ComboFix scan.
2. We now need to run a CFscript using Combofix
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"="wdmaud.drv"


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

4.
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Things to include in your next reply:
Combofix.txt
Kaspersky log
HiJackThis log
How is your computer running now? Any signs or symptoms of infection?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 AM

Posted 07 April 2009 - 04:31 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :thumbup2:

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 07 April 2009 - 04:34 PM

Sorry for the delay. I smashed my finger in my truck door Sunday night so I've been kinda one-handed!! I will try to follow the instructions now and get logs up this evening.

Thanks,
Sandy

#13 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 07 April 2009 - 10:15 PM

The Kaspersky scan is running, but it looks like it's going to take a long time! Its been going for 3 hours and only says it's done 9%. I will post results as soon as I can.

Thanks,
Sandy

#14 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 09 April 2009 - 09:04 AM

Finally have all the scans done!


ComboFix log:

ComboFix 09-04-04.01 - Sandy 2009-04-07 16:55:00.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1785 [GMT -5:00]
Running from: c:\documents and settings\Sandy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Sandy\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-03-25 15:39 . 2009-03-25 15:50 <DIR> d-------- c:\windows\KBGear
2009-03-25 15:39 . 2000-12-15 01:21 173,568 --a------ c:\windows\system32\kbjam.cpl
2009-03-25 15:39 . 2000-12-15 01:21 110,592 --a------ c:\windows\system32\wintab32.exe
2009-03-25 15:39 . 2000-12-15 01:21 65,536 --a------ c:\windows\system32\wintab32.dll
2009-03-25 15:39 . 2000-12-15 01:21 28,992 --a------ c:\windows\system32\wintab.dll
2009-03-25 15:39 . 2000-12-15 01:21 23,552 --a------ c:\windows\system32\drivers\w2kbhid.sys
2009-03-25 15:39 . 2000-12-15 01:21 13,824 --a------ c:\windows\system32\drivers\wtcls2k.sys
2009-03-25 15:39 . 2009-03-25 15:50 816 --a------ c:\windows\WINTAB.INI
2009-03-25 15:37 . 2008-04-13 13:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-03-25 15:37 . 2008-04-13 13:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 21:54 --------- d-----w c:\program files\Symantec AntiVirus
2009-04-07 21:39 --------- d-----w c:\documents and settings\Sandy\Application Data\FileZilla
2009-04-07 17:15 --------- d-----w c:\documents and settings\Sandy\Application Data\uTorrent
2009-03-27 14:28 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 14:42 --------- d-----w c:\program files\Common Files\Adobe
2009-03-03 18:07 --------- d-----w c:\program files\NCH Swift Sound
2009-03-03 18:06 --------- d-----w c:\program files\Spyware Doctor
2009-03-03 18:06 --------- d-----w c:\program files\Common Files\PC Tools
2009-03-03 18:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 18:04 --------- d-----w c:\program files\MediaCoder
2009-03-03 17:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-01 17:07 --------- d-----w c:\documents and settings\Sandy\Application Data\Alien Skin
2009-02-11 20:38 --------- d-----w c:\program files\Maxis
2009-02-11 20:38 --------- d-----w c:\documents and settings\Sandy\Application Data\DAEMON Tools Lite
2009-02-11 20:37 --------- d-----w c:\documents and settings\Sandy\Application Data\DAEMON Tools Pro
2009-02-11 20:37 --------- d-----w c:\documents and settings\Sandy\Application Data\DAEMON Tools
2009-02-11 20:36 --------- d-----w c:\program files\DAEMON Tools Toolbar
2009-02-11 20:36 --------- d-----w c:\program files\DAEMON Tools Lite
2009-02-11 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-02-11 20:31 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-11 04:33 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-11 04:33 --------- d-----w c:\program files\ZyXEL
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-09-21 14:59 256 ----a-w c:\documents and settings\Sandy\pool.bin
2007-10-22 22:17 774,144 ----a-w c:\program files\RngInterstitial.dll
2008-10-12 00:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008101120081012\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 17:52 80384 --a------ c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-29 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Auto EPSON Stylus Photo R200 Series on BRIAN"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"\QMSGR-BRIAN\EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-03 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-04 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ZyXEL G-200 Utility.lnk - c:\program files\ZyXEL\G-200v2\G-200.exe [2009-02-10 1605632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"midi1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"mixer1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"aux1"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"wave2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"midi2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"mixer2"= c:\docume~1\Sandy\APPLIC~1\MACROM~1\Common\40dfc00c1.dll
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Documents and Settings\\Sandy\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Zend\\ZendStudio-5.5.0\\jre\\bin\\javaw.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"d:\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-29 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
S3 W2kbhid;KBGear Tablet (USB);c:\windows\system32\drivers\w2kbhid.sys [2009-03-25 23552]
S3 Wtcls2k;Wtcls2k;c:\windows\system32\drivers\wtcls2k.sys [2009-03-25 13824]
S3 ZD1211U(ZyXEL);ZyXEL G-200v2 802.11b/g Wireless USB Adapter(ZyXEL);c:\windows\system32\DRIVERS\zd1211u.sys --> c:\windows\system32\DRIVERS\zd1211u.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Zend Studio - Debug current page - c:\program files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
IE: Zend Studio - Debug next page - c:\program files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
FF - ProfilePath - c:\documents and settings\Sandy\Application Data\Mozilla\Firefox\Profiles\py1jcv9w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint_.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 16:56:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-07 16:57:48
ComboFix-quarantined-files.txt 2009-04-07 21:57:32
ComboFix2.txt 2009-04-07 21:49:21
ComboFix3.txt 2009-03-31 18:18:54

Pre-Run: 5,458,841,600 bytes free
Post-Run: 5,444,665,344 bytes free

199 --- E O F --- 2009-04-01 08:03:23




Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 00:54:34
Records in database: 2021752
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 158772
Threat name: 6
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 11:46:44


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A680000\4AEE5695.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A680001\4AEEC5A6.VBN Infected: Exploit.JS.Pdfka.w 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F140000\4FD78023.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40000\4FB679AF.VBN Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40001\4FB679C4.VBN Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40002\4FB679E0.VBN Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40003\4FB679FD.VBN Infected: Trojan-Downloader.Win32.Agent.bkaf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40006\4FB70357.VBN Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40007\4FB70668.VBN Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40008\4FB71480.VBN Infected: Trojan.Win32.Agent2.erm 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB40009\4FB73C68.VBN Infected: Trojan-Downloader.Win32.Agent.bkaf 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB4000B\4FB74E53.VBN Infected: Trojan.Win32.Agent.btax 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB4000E\4FFCE3CA.VBN Infected: Trojan-Downloader.Win32.FraudLoad.dsl 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FB4000F\4FFD5663.VBN Infected: Trojan-Downloader.Win32.FraudLoad.dsl 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

The selected area was scanned.





HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:19 AM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\Wintab32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ZyXEL\G-200v2\G-200.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sandy\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: Zend Studio - {95188727-288F-4581-A48D-EAB3BD027314} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on BRIAN] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "Auto EPSON Stylus Photo R200 Series on BRIAN" /O13 "\\BRIAN\EPSON" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [\QMSGR-BRIAN\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P44 "\\QMSGR-BRIAN\EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: ZyXEL G-200 Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Zend Studio - Debug current page - res://C:\Program Files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugCurrent.html
O8 - Extra context menu item: Zend Studio - Debug next page - res://C:\Program Files\Zend\ZendStudio-5.5.0\bin\ZendIEToolbar.dll/DebugNext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Zend Studio Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra 'Tools' menuitem: Zend Studio - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\PROGRA~1\Zend\ZENDST~1.0\bin\ZENDIE~1.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179726536781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1179729706484
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\system32\Wintab32.exe

--
End of file - 9908 bytes







Thanks!
Sandy

#15 ArmyNGWife

ArmyNGWife
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 PM

Posted 09 April 2009 - 10:49 PM

As for how my computer is running now, it seems ok. The only thing I've noticed is something weird when I do a Google search. For example, just now I Googled a kids toy, and I right-clicked on the first 3 results & clicked to open them in new tabs. The first was a link to Amazon.com, but when I clicked to see the tab, it didn't load Amazon, it was "shopica.com" or something like that. So I close that tab and right-click again on the Amazon link & it works fine. The other 2 links I opened were fine too.

I've noticed this a couple of other times recently. Not sure if it's the same search-like site that it brings up. I'm using Firefox.

Thanks for all of your help!
Sandy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users