Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde (arg!)


  • Please log in to reply
12 replies to this topic

#1 rbecker

rbecker

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 11 April 2009 - 02:43 PM

I'm running windows Vista and recently got infected with the Virtumonde trojan. I detected it with Spybot Search & Destroy. I can't remove it. Please help.



DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 21:44:22.70 on Fri 04/10/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.648 [GMT -7:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Users\HP_Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\vssvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Users\HP_Administrator\Documents\Desktop\dds.scr
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.beckerz.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {a28375af-c1da-4ced-a197-6505b4f0b24b} - c:\windows\system32\tobigulu.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\users\hp_administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [viregedodu] Rundll32.exe "c:\windows\system32\wovidape.dll",s
uRun: [CPM10053430] Rundll32.exe "c:\progra~2\nilujete\nilujete.dll",a
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Framework Windows] frmwrk32.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [133607ac] rundll32.exe "c:\programdata\hufowebi\hufowebi.dll",b
mRun: [viregedodu] Rundll32.exe "c:\programdata\gukehere\gukehere.dll",s
mRun: [CPM10053430] Rundll32.exe "c:\progra~2\nilujete\nilujete.dll",a
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\users\hp_adm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.csaa.com/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\go333c~1\goec62~1.dll c:\progra~2\nilujete\nilujete.dll c:\programdata\vokubonu\vokubonu.dll c:\windows\system32\tobigulu.dll c:\windows\system32\kufoluru.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\kufoluru.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\kufoluru.dll
LSA: Notification Packages = scecli c:\programdata\vokubonu\vokubonu.dll c:\windows\system32\tobigulu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\hp_adm~1\appdata\roaming\mozilla\firefox\profiles\htdocqjh.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\users\hp_administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\hp_administrator\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 CLHNService3;CLHNService3;c:\program files\directv\directv\kernel\dmp\CLHNService.exe [2008-9-26 98304]
R2 ntk3;ntk3;c:\program files\directv\directv\kernel\dmp\ntk3.sys [2008-9-26 120048]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-17 1153368]
S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\system32\drivers\pcam800.sys [2002-7-27 210792]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-6 30192]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-12 36928]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-04-10 18:56 <DIR> --d----- c:\programdata\zifirobo
2009-04-10 18:56 <DIR> --d----- c:\programdata\vokubonu
2009-04-10 18:56 <DIR> --d----- c:\programdata\gukehere
2009-04-10 18:56 <DIR> --d----- c:\progra~2\zifirobo
2009-04-10 18:56 <DIR> --d----- c:\progra~2\vokubonu
2009-04-10 18:56 <DIR> --d----- c:\progra~2\gukehere
2009-04-10 18:55 <DIR> --d----- c:\programdata\vinabino
2009-04-10 18:55 <DIR> --d----- c:\programdata\nilujete
2009-04-10 18:55 <DIR> --d----- c:\programdata\nifisofo
2009-04-10 18:55 <DIR> --d----- c:\progra~2\vinabino
2009-04-10 18:55 <DIR> --d----- c:\progra~2\nilujete
2009-04-10 18:55 <DIR> --d----- c:\progra~2\nifisofo
2009-04-09 21:49 318,976 a------- c:\windows\system32\CF16613.exe
2009-04-09 21:49 <DIR> --d----- C:\blue
2009-04-09 21:42 318,976 a------- c:\windows\system32\CF15434.exe
2009-04-09 21:41 318,976 a------- c:\windows\system32\CF15222.exe
2009-04-09 21:34 <DIR> --d----- C:\globremover
2009-04-09 21:34 318,976 a------- c:\windows\system32\CF13703.exe
2009-04-09 21:32 318,976 a------- c:\windows\system32\CF13348.exe
2009-04-09 21:29 318,976 a------- c:\windows\system32\CF12779.exe
2009-04-09 21:29 <DIR> --d----- C:\Combo-Fix
2009-04-09 21:22 318,976 a------- c:\windows\system32\CF11457.exe
2009-04-09 21:17 318,976 a------- c:\windows\system32\CF10484.exe
2009-04-09 20:42 318,976 a------- c:\windows\system32\CF3639.exe
2009-04-09 20:27 318,976 a------- c:\windows\system32\CF700.exe
2009-04-09 20:19 <DIR> --d----- C:\multifix
2009-04-09 20:19 318,976 a------- c:\windows\system32\CF31763.exe
2009-04-09 20:09 318,976 a------- c:\windows\system32\CF29879.exe
2009-04-09 20:07 318,976 a------- c:\windows\system32\CF29500.exe
2009-04-09 20:00 318,976 a------- c:\windows\system32\CF28109.exe
2009-04-09 19:49 318,976 a------- c:\windows\system32\CF25908.exe
2009-04-09 19:44 318,976 a------- c:\windows\system32\CF24879.exe
2009-04-09 18:57 <DIR> --d----- c:\programdata\zekibawi
2009-04-09 18:57 <DIR> --d----- c:\programdata\halojoge
2009-04-09 18:57 <DIR> --d----- c:\progra~2\zekibawi
2009-04-09 18:57 <DIR> --d----- c:\progra~2\halojoge
2009-04-08 23:01 318,976 a------- c:\windows\system32\CF10771.exe
2009-04-08 22:06 318,976 a------- c:\windows\system32\CF20.exe
2009-04-08 21:58 318,976 a------- c:\windows\system32\CF31260.exe
2009-04-08 21:55 318,976 a------- c:\windows\system32\CF30597.exe
2009-04-08 21:53 318,976 a------- c:\windows\system32\CF30195.exe
2009-04-08 21:33 <DIR> --d----- c:\programdata\pawehuhe
2009-04-08 21:33 <DIR> --d----- c:\progra~2\pawehuhe
2009-04-08 21:32 <DIR> --d----- c:\programdata\zelojive
2009-04-08 21:32 <DIR> --d----- c:\programdata\riyakuge
2009-04-08 21:32 <DIR> --d----- c:\programdata\jutepeso
2009-04-08 21:32 <DIR> --d----- c:\progra~2\zelojive
2009-04-08 21:32 <DIR> --d----- c:\progra~2\riyakuge
2009-04-08 21:32 <DIR> --d----- c:\progra~2\jutepeso
2009-04-08 21:32 <DIR> --d----- c:\programdata\zabinose
2009-04-08 21:32 <DIR> --d----- c:\programdata\luhuwuji
2009-04-08 21:32 <DIR> --d----- c:\programdata\hufowebi
2009-04-08 21:32 <DIR> --d----- c:\programdata\fatopoze
2009-04-08 21:32 <DIR> --d----- c:\progra~2\zabinose
2009-04-08 21:32 <DIR> --d----- c:\progra~2\luhuwuji
2009-04-08 21:32 <DIR> --d----- c:\progra~2\hufowebi
2009-04-08 21:32 <DIR> --d----- c:\progra~2\fatopoze
2009-04-06 19:48 <DIR> --d----- c:\programdata\wuyojogi
2009-04-06 19:48 <DIR> --d----- c:\progra~2\wuyojogi
2009-04-05 17:45 318,976 a------- c:\windows\system32\CF19755.exe
2009-04-05 17:34 318,976 a------- c:\windows\system32\CF17802.exe
2009-04-05 14:55 318,976 a------- c:\windows\system32\CF19423.exe
2009-04-05 14:37 318,976 a------- c:\windows\system32\CF15772.exe
2009-04-05 14:26 318,976 a------- c:\windows\system32\CF13300.exe
2009-04-05 09:48 <DIR> --d----- c:\programdata\ruvekifo
2009-04-05 09:48 <DIR> --d----- c:\progra~2\ruvekifo
2009-04-04 21:02 <DIR> --d----- c:\programdata\Sony
2009-04-04 20:48 <DIR> --d----- c:\programdata\begadosi
2009-04-04 20:48 <DIR> --d----- c:\progra~2\begadosi
2009-04-04 08:48 <DIR> --d----- c:\programdata\tavimega
2009-04-04 08:48 <DIR> --d----- c:\progra~2\tavimega
2009-04-03 20:16 <DIR> --d----- c:\programdata\mobahibe
2009-04-03 20:16 <DIR> --d----- c:\progra~2\mobahibe
2009-03-17 21:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-17 21:09 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 21:08 <DIR> --d----- c:\program files\iPod
2009-03-17 21:08 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 21:08 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-04-10 21:01 87,552 a--sh--- c:\windows\system32\kufoluru.dll
2009-04-10 21:01 51,200 a--sh--- c:\windows\system32\vemejofa.exe
2009-04-09 19:40 87,552 a--sh--- c:\windows\system32\nesirona.dll
2009-04-09 19:40 51,200 a--sh--- c:\windows\system32\borababu.exe
2009-04-01 18:35 87,552 a------- c:\windows\system32\hozekopo.dll
2009-03-31 18:10 87,552 a------- c:\windows\system32\dowileyi.dll
2009-03-17 20:59 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-17 20:59 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 20:59 51,200 a------- c:\windows\inf\infpub.dat
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-08 20:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-16 23:35 69,632 a------- c:\windows\system32\26K2CuCX.exe
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-09 21:46 146,136 a------- c:\users\hp_adm~1\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-06-14 03:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-26 18:45 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-02-18 11:20 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-12-16 16:41 22 a--sh--- c:\windows\sminst\HPCD.sys
2009-01-01 18:36 49,152 a--sh--- c:\windows\system32\bivemufi.dll
2009-01-09 19:40 49,152 a--sh--- c:\windows\system32\latabaye.dll
2009-01-01 18:36 49,152 a--sh--- c:\windows\system32\moriwami.dll
2009-01-01 18:36 49,152 a--sh--- c:\windows\system32\tobigulu.dll

============= FINISH: 21:47:15.58 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 PM

Posted 11 April 2009 - 02:56 PM

Hello rbecker

Welcome to BleepingComputer :thumbup2:
========================
Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :processes
    explorer.exe
    
    :files
    c:\windows\system32\bivemufi.dll
    c:\windows\system32\latabaye.dll
    c:\windows\system32\moriwami.dll
    c:\windows\system32\tobigulu.dll
    c:\windows\system32\kufoluru.dll
    c:\windows\system32\vemejofa.exe
    c:\windows\system32\nesirona.dll
    c:\windows\system32\borababu.exe
    c:\windows\system32\hozekopo.dll
    c:\windows\system32\dowileyi.dll
    c:\programdata\ruvekifo
    c:\progra~2\ruvekifo
    c:\programdata\Sony
    c:\programdata\begadosi
    c:\progra~2\begadosi
    c:\programdata\tavimega
    c:\progra~2\tavimega
    c:\programdata\mobahibe
    c:\progra~2\mobahibe
    c:\programdata\pawehuhe
    c:\progra~2\pawehuhe
    c:\programdata\zelojive
    c:\programdata\riyakuge
    c:\programdata\jutepeso
    c:\progra~2\zelojive
    c:\progra~2\riyakuge
    c:\progra~2\jutepeso
    c:\programdata\zabinose
    c:\programdata\luhuwuji
    c:\programdata\hufowebi
    c:\programdata\fatopoze
    c:\progra~2\zabinose
    c:\progra~2\luhuwuji
    c:\progra~2\hufowebi
    c:\progra~2\fatopoze
    c:\programdata\wuyojogi
    c:\progra~2\wuyojogi
    C:\programdata\zekibawi
    c:\programdata\halojoge
    c:\progra~2\zekibawi
    c:\progra~2\halojoge
    c:\programdata\zifirobo
    c:\programdata\vokubonu
    c:\programdata\gukehere
    c:\progra~2\zifirobo
    c:\progra~2\vokubonu
    c:\progra~2\gukehere
    c:\programdata\vinabino
    c:\programdata\nilujete
    c:\programdata\nifisofo
    c:\progra~2\vinabino
    c:\progra~2\nilujete
    c:\progra~2\nifisofo
    
    :commands
    [emptytemp]
    [start explorer]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:
  • Ot Move it log
  • Malware Bytes log
  • New DDSlog

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 rbecker

rbecker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 11 April 2009 - 03:50 PM

OK..followed those directions. Here are the logs for:
# Ot Move it log
# Malware Bytes log
# New DDSlog

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
File/Folder c:\windows\system32\bivemufi.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\latabaye.dll
c:\windows\system32\latabaye.dll NOT unregistered.
c:\windows\system32\latabaye.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\moriwami.dll
c:\windows\system32\moriwami.dll NOT unregistered.
c:\windows\system32\moriwami.dll moved successfully.
File/Folder c:\windows\system32\tobigulu.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\kufoluru.dll
c:\windows\system32\kufoluru.dll NOT unregistered.
c:\windows\system32\kufoluru.dll moved successfully.
c:\windows\system32\vemejofa.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\nesirona.dll
c:\windows\system32\nesirona.dll NOT unregistered.
c:\windows\system32\nesirona.dll moved successfully.
c:\windows\system32\borababu.exe moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hozekopo.dll
c:\windows\system32\hozekopo.dll NOT unregistered.
c:\windows\system32\hozekopo.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\dowileyi.dll
c:\windows\system32\dowileyi.dll NOT unregistered.
c:\windows\system32\dowileyi.dll moved successfully.
c:\programdata\ruvekifo moved successfully.
File/Folder c:\progra~2\ruvekifo not found.
c:\programdata\Sony moved successfully.
c:\programdata\begadosi moved successfully.
File/Folder c:\progra~2\begadosi not found.
c:\programdata\tavimega moved successfully.
File/Folder c:\progra~2\tavimega not found.
c:\programdata\mobahibe moved successfully.
File/Folder c:\progra~2\mobahibe not found.
c:\programdata\pawehuhe moved successfully.
File/Folder c:\progra~2\pawehuhe not found.
c:\programdata\zelojive moved successfully.
c:\programdata\riyakuge moved successfully.
c:\programdata\jutepeso moved successfully.
File/Folder c:\progra~2\zelojive not found.
File/Folder c:\progra~2\riyakuge not found.
File/Folder c:\progra~2\jutepeso not found.
c:\programdata\zabinose moved successfully.
c:\programdata\luhuwuji moved successfully.
c:\programdata\hufowebi moved successfully.
c:\programdata\fatopoze moved successfully.
File/Folder c:\progra~2\zabinose not found.
File/Folder c:\progra~2\luhuwuji not found.
File/Folder c:\progra~2\hufowebi not found.
File/Folder c:\progra~2\fatopoze not found.
c:\programdata\wuyojogi moved successfully.
File/Folder c:\progra~2\wuyojogi not found.
C:\programdata\zekibawi moved successfully.
c:\programdata\halojoge moved successfully.
File/Folder c:\progra~2\zekibawi not found.
File/Folder c:\progra~2\halojoge not found.
c:\programdata\zifirobo moved successfully.
c:\programdata\vokubonu moved successfully.
c:\programdata\gukehere moved successfully.
File/Folder c:\progra~2\zifirobo not found.
File/Folder c:\progra~2\vokubonu not found.
File/Folder c:\progra~2\gukehere not found.
c:\programdata\vinabino moved successfully.
c:\programdata\nilujete moved successfully.
c:\programdata\nifisofo moved successfully.
File/Folder c:\progra~2\vinabino not found.
File/Folder c:\progra~2\nilujete not found.
File/Folder c:\progra~2\nifisofo not found.
========== COMMANDS ==========
File delete failed. C:\Users\HP_ADM~1\AppData\Local\Temp\etilqs_zTrOKHmAku8l2u2ADEmN scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_ADM~1\AppData\Local\Temp\~DF36CC.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_ADM~1\AppData\Local\Temp\~DF4186.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04112009_130357

Files moved on Reboot...
File C:\Users\HP_ADM~1\AppData\Local\Temp\etilqs_zTrOKHmAku8l2u2ADEmN not found!
C:\Users\HP_ADM~1\AppData\Local\Temp\~DF36CC.tmp moved successfully.
C:\Users\HP_ADM~1\AppData\Local\Temp\~DF4186.tmp moved successfully.
C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_001_ moved successfully.
C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_002_ moved successfully.
C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_003_ moved successfully.
C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\Cache\_CACHE_MAP_ moved successfully.
C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\urlclassifier3.sqlite moved successfully.
C:\Users\HP_Administrator\AppData\Local\Mozilla\Firefox\Profiles\htdocqjh.default\XUL.mfl moved successfully.




Malwarebytes' Anti-Malware 1.36
Database version: 1967
Windows 6.0.6001 Service Pack 1

4/11/2009 1:27:41 PM
mbam-log-2009-04-11 (13-27-41).txt

Scan type: Quick Scan
Objects scanned: 71317
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 13
Registry Values Infected: 8
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Windows\System32\jukohani.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\merisemo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\melunule.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a28375af-c1da-4ced-a197-6505b4f0b24b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a28375af-c1da-4ced-a197-6505b4f0b24b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5d2631e5-8696-7543-50b2-f674cd4308eb} (Trojan.Fakealert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f02fabcb-92dd-475a-98af-14217bd50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a28375af-c1da-4ced-a197-6505b4f0b24b} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viregedodu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm10053430 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm10053430 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\viregedodu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\133607ac (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\jukohani.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\merisemo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\merisemo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\jukohani.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\melunule.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\bufetoyo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\merisemo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Windows\System32\26K2CuCX.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\wasubezu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Windows\System32\26K2CuCX.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully.






DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 13:47:21.44 on Sat 04/11/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.950 [GMT -7:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\vssvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\HP_Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k swprv
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\HP_Administrator\Documents\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.beckerz.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\users\hp_administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\users\hp_adm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.csaa.com/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\go333c~1\goec62~1.dll ,c:\programdata\vokubonu\vokubonu.dll, c:\windows\system32\kufoluru.dll c:\windows\system32\nesirona.dll c:\windows\system32\hozekopo.dll c:\windows\system32\dowileyi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli c:\programdata\vokubonu\vokubonu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\hp_adm~1\appdata\roaming\mozilla\firefox\profiles\htdocqjh.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\users\hp_administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\hp_administrator\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 CLHNService3;CLHNService3;c:\program files\directv\directv\kernel\dmp\CLHNService.exe [2008-9-26 98304]
R2 ntk3;ntk3;c:\program files\directv\directv\kernel\dmp\ntk3.sys [2008-9-26 120048]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-17 1153368]
S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\system32\drivers\pcam800.sys [2002-7-27 210792]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-6 30192]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-12 36928]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-04-11 13:17 <DIR> --d----- c:\users\hp_adm~1\appdata\roaming\Malwarebytes
2009-04-11 13:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 13:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 13:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-11 13:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 13:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-11 13:03 <DIR> --d----- C:\_OTMoveIt
2009-04-09 21:49 318,976 a------- c:\windows\system32\CF16613.exe
2009-04-09 21:49 <DIR> --d----- C:\blue
2009-04-09 21:42 318,976 a------- c:\windows\system32\CF15434.exe
2009-04-09 21:41 318,976 a------- c:\windows\system32\CF15222.exe
2009-04-09 21:34 <DIR> --d----- C:\globremover
2009-04-09 21:34 318,976 a------- c:\windows\system32\CF13703.exe
2009-04-09 21:32 318,976 a------- c:\windows\system32\CF13348.exe
2009-04-09 21:29 318,976 a------- c:\windows\system32\CF12779.exe
2009-04-09 21:29 <DIR> --d----- C:\Combo-Fix
2009-04-09 21:22 318,976 a------- c:\windows\system32\CF11457.exe
2009-04-09 21:17 318,976 a------- c:\windows\system32\CF10484.exe
2009-04-09 20:42 318,976 a------- c:\windows\system32\CF3639.exe
2009-04-09 20:27 318,976 a------- c:\windows\system32\CF700.exe
2009-04-09 20:19 <DIR> --d----- C:\multifix
2009-04-09 20:19 318,976 a------- c:\windows\system32\CF31763.exe
2009-04-09 20:09 318,976 a------- c:\windows\system32\CF29879.exe
2009-04-09 20:07 318,976 a------- c:\windows\system32\CF29500.exe
2009-04-09 20:00 318,976 a------- c:\windows\system32\CF28109.exe
2009-04-09 19:49 318,976 a------- c:\windows\system32\CF25908.exe
2009-04-09 19:44 318,976 a------- c:\windows\system32\CF24879.exe
2009-04-08 23:01 318,976 a------- c:\windows\system32\CF10771.exe
2009-04-08 22:06 318,976 a------- c:\windows\system32\CF20.exe
2009-04-08 21:58 318,976 a------- c:\windows\system32\CF31260.exe
2009-04-08 21:55 318,976 a------- c:\windows\system32\CF30597.exe
2009-04-08 21:53 318,976 a------- c:\windows\system32\CF30195.exe
2009-04-05 17:45 318,976 a------- c:\windows\system32\CF19755.exe
2009-04-05 17:34 318,976 a------- c:\windows\system32\CF17802.exe
2009-04-05 14:55 318,976 a------- c:\windows\system32\CF19423.exe
2009-04-05 14:37 318,976 a------- c:\windows\system32\CF15772.exe
2009-04-05 14:26 318,976 a------- c:\windows\system32\CF13300.exe
2009-03-17 21:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-17 21:09 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 21:08 <DIR> --d----- c:\program files\iPod
2009-03-17 21:08 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 21:08 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-04-11 11:50 51,200 a--sh--- c:\windows\system32\nebiwofo.exe
2009-03-17 20:59 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-17 20:59 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 20:59 51,200 a------- c:\windows\inf\infpub.dat
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-08 20:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-09 21:46 146,136 a------- c:\users\hp_adm~1\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-06-14 03:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-26 18:45 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-02-18 11:20 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-12-16 16:41 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 13:48:27.89 ===============

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 PM

Posted 11 April 2009 - 04:04 PM

Hi I added the Sony folder by accident.
Didn't remove it when I was copying and pasting.

First
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Click the Restore Button at the top.
  • Select the .res file then click on open.
  • Scroll through then find this entry: C:\Program data\Sony.
  • Place a check mark next to that entry and then click on Restore It at the top.
  • It will then say it is restored.
  • please then close OT Move it 3.
=======================
Then
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\windows\system32\nebiwofo.exe
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please then reboot and post the Ot Move it log and a new DDs log and let me know how things are running?

Edited by kahdah, 11 April 2009 - 04:04 PM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 rbecker

rbecker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 11 April 2009 - 04:20 PM

Done...


========== FILES ==========
C:\windows\system32\nebiwofo.exe moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04112009_141414




DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 14:15:57.87 on Sat 04/11/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.911 [GMT -7:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\DRIVERS\xaudio.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\vssvc.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\HP_Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k swprv
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\HP_Administrator\Documents\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.beckerz.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\users\hp_administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\users\hp_adm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.csaa.com/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\go333c~1\goec62~1.dll ,c:\programdata\vokubonu\vokubonu.dll, c:\windows\system32\kufoluru.dll c:\windows\system32\nesirona.dll c:\windows\system32\hozekopo.dll c:\windows\system32\dowileyi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll
LSA: Notification Packages = scecli c:\programdata\vokubonu\vokubonu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\hp_adm~1\appdata\roaming\mozilla\firefox\profiles\htdocqjh.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\users\hp_administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\hp_administrator\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 CLHNService3;CLHNService3;c:\program files\directv\directv\kernel\dmp\CLHNService.exe [2008-9-26 98304]
R2 ntk3;ntk3;c:\program files\directv\directv\kernel\dmp\ntk3.sys [2008-9-26 120048]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-1-17 1153368]
S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\system32\drivers\pcam800.sys [2002-7-27 210792]
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-3-6 30192]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-12 36928]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-04-11 14:12 <DIR> --d----- c:\programdata\Sony
2009-04-11 13:17 <DIR> --d----- c:\users\hp_adm~1\appdata\roaming\Malwarebytes
2009-04-11 13:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 13:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 13:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-11 13:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 13:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-11 13:03 <DIR> --d----- C:\_OTMoveIt
2009-04-09 21:49 318,976 a------- c:\windows\system32\CF16613.exe
2009-04-09 21:49 <DIR> --d----- C:\blue
2009-04-09 21:42 318,976 a------- c:\windows\system32\CF15434.exe
2009-04-09 21:41 318,976 a------- c:\windows\system32\CF15222.exe
2009-04-09 21:34 <DIR> --d----- C:\globremover
2009-04-09 21:34 318,976 a------- c:\windows\system32\CF13703.exe
2009-04-09 21:32 318,976 a------- c:\windows\system32\CF13348.exe
2009-04-09 21:29 318,976 a------- c:\windows\system32\CF12779.exe
2009-04-09 21:29 <DIR> --d----- C:\Combo-Fix
2009-04-09 21:22 318,976 a------- c:\windows\system32\CF11457.exe
2009-04-09 21:17 318,976 a------- c:\windows\system32\CF10484.exe
2009-04-09 20:42 318,976 a------- c:\windows\system32\CF3639.exe
2009-04-09 20:27 318,976 a------- c:\windows\system32\CF700.exe
2009-04-09 20:19 <DIR> --d----- C:\multifix
2009-04-09 20:19 318,976 a------- c:\windows\system32\CF31763.exe
2009-04-09 20:09 318,976 a------- c:\windows\system32\CF29879.exe
2009-04-09 20:07 318,976 a------- c:\windows\system32\CF29500.exe
2009-04-09 20:00 318,976 a------- c:\windows\system32\CF28109.exe
2009-04-09 19:49 318,976 a------- c:\windows\system32\CF25908.exe
2009-04-09 19:44 318,976 a------- c:\windows\system32\CF24879.exe
2009-04-08 23:01 318,976 a------- c:\windows\system32\CF10771.exe
2009-04-08 22:06 318,976 a------- c:\windows\system32\CF20.exe
2009-04-08 21:58 318,976 a------- c:\windows\system32\CF31260.exe
2009-04-08 21:55 318,976 a------- c:\windows\system32\CF30597.exe
2009-04-08 21:53 318,976 a------- c:\windows\system32\CF30195.exe
2009-04-05 17:45 318,976 a------- c:\windows\system32\CF19755.exe
2009-04-05 17:34 318,976 a------- c:\windows\system32\CF17802.exe
2009-04-05 14:55 318,976 a------- c:\windows\system32\CF19423.exe
2009-04-05 14:37 318,976 a------- c:\windows\system32\CF15772.exe
2009-04-05 14:26 318,976 a------- c:\windows\system32\CF13300.exe
2009-03-17 21:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-17 21:09 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 21:08 <DIR> --d----- c:\program files\iPod
2009-03-17 21:08 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 21:08 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-03-17 20:59 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-17 20:59 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 20:59 51,200 a------- c:\windows\inf\infpub.dat
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-08 20:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-09 21:46 146,136 a------- c:\users\hp_adm~1\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-06-14 03:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-26 18:45 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-02-18 11:20 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-12-16 16:41 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 14:17:03.36 ===============

#6 rbecker

rbecker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 11 April 2009 - 04:21 PM

Things seem to be running faster. Is it ok to try a reboot and run spybot? Browsing the internet was very slow before. Seems to be way faster.

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 PM

Posted 11 April 2009 - 04:37 PM

You can run Spybot in a bit first we have to clean up some leftovers:

First, we need to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fixthis.reg on your Desktop.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~1\google\go333c~1\goec62~1.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
Now double-click fixthis.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
Reboot for the changes to take place and post a new dds log after rebooting.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 rbecker

rbecker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 11 April 2009 - 10:01 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 19:58:35.92 on Sat 04/11/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1151 [GMT -7:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\HP_Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\vssvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Users\HP_Administrator\Documents\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.beckerz.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\users\hp_administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\users\hp_adm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.csaa.com/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
AppInit_DLLs: c:\progra~1\google\go333c~1\goec62~1.dll ,c:\programdata\vokubonu\vokubonu.dll, c:\windows\system32\kufoluru.dll c:\windows\system32\nesirona.dll c:\windows\system32\hozekopo.dll c:\windows\system32\dowileyi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\hp_adm~1\appdata\roaming\mozilla\firefox\profiles\htdocqjh.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\users\hp_administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\hp_administrator\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R2 ntk3;ntk3;c:\program files\directv\directv\kernel\dmp\ntk3.sys [2008-9-26 120048]
S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\system32\drivers\pcam800.sys [2002-7-27 210792]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-12 36928]

=============== Created Last 30 ================

2009-04-11 19:51 310,190,124 a------- C:\registrybackup.reg
2009-04-11 14:12 <DIR> --d----- c:\programdata\Sony
2009-04-11 13:17 <DIR> --d----- c:\users\hp_adm~1\appdata\roaming\Malwarebytes
2009-04-11 13:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 13:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 13:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-11 13:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 13:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-11 13:03 <DIR> --d----- C:\_OTMoveIt
2009-04-09 21:49 318,976 a------- c:\windows\system32\CF16613.exe
2009-04-09 21:49 <DIR> --d----- C:\blue
2009-04-09 21:42 318,976 a------- c:\windows\system32\CF15434.exe
2009-04-09 21:41 318,976 a------- c:\windows\system32\CF15222.exe
2009-04-09 21:34 <DIR> --d----- C:\globremover
2009-04-09 21:34 318,976 a------- c:\windows\system32\CF13703.exe
2009-04-09 21:32 318,976 a------- c:\windows\system32\CF13348.exe
2009-04-09 21:29 318,976 a------- c:\windows\system32\CF12779.exe
2009-04-09 21:29 <DIR> --d----- C:\Combo-Fix
2009-04-09 21:22 318,976 a------- c:\windows\system32\CF11457.exe
2009-04-09 21:17 318,976 a------- c:\windows\system32\CF10484.exe
2009-04-09 20:42 318,976 a------- c:\windows\system32\CF3639.exe
2009-04-09 20:27 318,976 a------- c:\windows\system32\CF700.exe
2009-04-09 20:19 <DIR> --d----- C:\multifix
2009-04-09 20:19 318,976 a------- c:\windows\system32\CF31763.exe
2009-04-09 20:09 318,976 a------- c:\windows\system32\CF29879.exe
2009-04-09 20:07 318,976 a------- c:\windows\system32\CF29500.exe
2009-04-09 20:00 318,976 a------- c:\windows\system32\CF28109.exe
2009-04-09 19:49 318,976 a------- c:\windows\system32\CF25908.exe
2009-04-09 19:44 318,976 a------- c:\windows\system32\CF24879.exe
2009-04-08 23:01 318,976 a------- c:\windows\system32\CF10771.exe
2009-04-08 22:06 318,976 a------- c:\windows\system32\CF20.exe
2009-04-08 21:58 318,976 a------- c:\windows\system32\CF31260.exe
2009-04-08 21:55 318,976 a------- c:\windows\system32\CF30597.exe
2009-04-08 21:53 318,976 a------- c:\windows\system32\CF30195.exe
2009-04-05 17:45 318,976 a------- c:\windows\system32\CF19755.exe
2009-04-05 17:34 318,976 a------- c:\windows\system32\CF17802.exe
2009-04-05 14:55 318,976 a------- c:\windows\system32\CF19423.exe
2009-04-05 14:37 318,976 a------- c:\windows\system32\CF15772.exe
2009-04-05 14:26 318,976 a------- c:\windows\system32\CF13300.exe
2009-03-17 21:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-17 21:09 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 21:08 <DIR> --d----- c:\program files\iPod
2009-03-17 21:08 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 21:08 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-03-17 20:59 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-17 20:59 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 20:59 51,200 a------- c:\windows\inf\infpub.dat
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-08 20:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-09 21:46 146,136 a------- c:\users\hp_adm~1\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-06-14 03:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-26 18:45 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-02-18 11:20 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-12-16 16:41 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 20:00:27.98 ===============

#9 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 PM

Posted 12 April 2009 - 07:06 AM

Ok well let's try it this way then:
Please open up Notepad and copy all of the items in the code box below.
Change the "Save As Type" to "All Files". Save it as fix.reg on your Desktop.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~1\google\go333c~1\goec62~1.dll
Now double-click fix.reg.
A window will come up asking if you want to let it merge with the registry.
Click yes.
Reboot for the changes to take place and post a fresh dds log to reflect the changes.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#10 rbecker

rbecker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 12 April 2009 - 09:00 AM

Windows ...didn't like this. After the window asking if i wanted to mreger with registry, I clicked YES. I then got this message:

"Cannot import C:\Users\HP_Administrator\Documents\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor."

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 PM

Posted 12 April 2009 - 09:06 AM

Hi I think it wasn't copied completely I will attach the correct one.
Save the .zip to your desktop then right click on it and choose Extract all then hit next then next again then double click on the fix.reg then choose yes to merge it same as before.


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 rbecker

rbecker
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:56 AM

Posted 12 April 2009 - 09:45 AM

Your file updated registry...



DDS (Ver_09-03-16.01) - NTFSx86
Run by HP_Administrator at 7:29:51.50 on Sun 04/12/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.976 [GMT -7:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\snmp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\cavrid.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\HP_Administrator\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\vssvc.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\HP_Administrator\Documents\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://www.google.com/ie
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.beckerz.com/
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\users\hp_administrator\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Carbonite Backup] c:\program files\carbonite\carbonite backup\CarboniteUI.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10a.exe
StartupFolder: c:\users\hp_adm~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_09\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://remote.csaa.com/dana-cached/sc/JuniperSetupClient.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - %SystemRoot%\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\hp_adm~1\appdata\roaming\mozilla\firefox\profiles\htdocqjh.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPJPI150_09.dll
FF - plugin: c:\program files\java\jre1.5.0_09\bin\NPOJI610.dll
FF - plugin: c:\users\hp_administrator\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\users\hp_administrator\appdata\roaming\mozilla\plugins\npgoogletalk.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 ntk3;ntk3;c:\program files\directv\directv\kernel\dmp\ntk3.sys [2008-9-26 120048]
S3 DCamUSBNW800;CIF USB Camera (2110);c:\windows\system32\drivers\pcam800.sys [2002-7-27 210792]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [2008-7-12 36928]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]

=============== Created Last 30 ================

2009-04-11 19:51 310,190,124 a------- C:\registrybackup.reg
2009-04-11 14:12 <DIR> --d----- c:\programdata\Sony
2009-04-11 13:17 <DIR> --d----- c:\users\hp_adm~1\appdata\roaming\Malwarebytes
2009-04-11 13:17 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-11 13:17 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-11 13:17 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-11 13:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-11 13:17 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-11 13:03 <DIR> --d----- C:\_OTMoveIt
2009-04-09 21:49 318,976 a------- c:\windows\system32\CF16613.exe
2009-04-09 21:49 <DIR> --d----- C:\blue
2009-04-09 21:42 318,976 a------- c:\windows\system32\CF15434.exe
2009-04-09 21:41 318,976 a------- c:\windows\system32\CF15222.exe
2009-04-09 21:34 <DIR> --d----- C:\globremover
2009-04-09 21:34 318,976 a------- c:\windows\system32\CF13703.exe
2009-04-09 21:32 318,976 a------- c:\windows\system32\CF13348.exe
2009-04-09 21:29 318,976 a------- c:\windows\system32\CF12779.exe
2009-04-09 21:29 <DIR> --d----- C:\Combo-Fix
2009-04-09 21:22 318,976 a------- c:\windows\system32\CF11457.exe
2009-04-09 21:17 318,976 a------- c:\windows\system32\CF10484.exe
2009-04-09 20:42 318,976 a------- c:\windows\system32\CF3639.exe
2009-04-09 20:27 318,976 a------- c:\windows\system32\CF700.exe
2009-04-09 20:19 <DIR> --d----- C:\multifix
2009-04-09 20:19 318,976 a------- c:\windows\system32\CF31763.exe
2009-04-09 20:09 318,976 a------- c:\windows\system32\CF29879.exe
2009-04-09 20:07 318,976 a------- c:\windows\system32\CF29500.exe
2009-04-09 20:00 318,976 a------- c:\windows\system32\CF28109.exe
2009-04-09 19:49 318,976 a------- c:\windows\system32\CF25908.exe
2009-04-09 19:44 318,976 a------- c:\windows\system32\CF24879.exe
2009-04-08 23:01 318,976 a------- c:\windows\system32\CF10771.exe
2009-04-08 22:06 318,976 a------- c:\windows\system32\CF20.exe
2009-04-08 21:58 318,976 a------- c:\windows\system32\CF31260.exe
2009-04-08 21:55 318,976 a------- c:\windows\system32\CF30597.exe
2009-04-08 21:53 318,976 a------- c:\windows\system32\CF30195.exe
2009-04-05 17:45 318,976 a------- c:\windows\system32\CF19755.exe
2009-04-05 17:34 318,976 a------- c:\windows\system32\CF17802.exe
2009-04-05 14:55 318,976 a------- c:\windows\system32\CF19423.exe
2009-04-05 14:37 318,976 a------- c:\windows\system32\CF15772.exe
2009-04-05 14:26 318,976 a------- c:\windows\system32\CF13300.exe
2009-03-17 21:09 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-17 21:09 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 21:08 <DIR> --d----- c:\program files\iPod
2009-03-17 21:08 <DIR> --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-17 21:08 <DIR> --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

==================== Find3M ====================

2009-03-17 20:59 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-17 20:59 86,016 a------- c:\windows\inf\infstor.dat
2009-03-17 20:59 51,200 a------- c:\windows\inf\infpub.dat
2009-03-05 23:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-05 23:59 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-02-08 20:10 2,033,152 a------- c:\windows\system32\win32k.sys
2009-01-14 23:11 827,392 a------- c:\windows\system32\wininet.dll
2008-12-09 21:46 146,136 a------- c:\users\hp_adm~1\appdata\roaming\GDIPFONTCACHEV1.DAT
2008-06-14 03:12 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-26 18:45 174 a--sh--- c:\program files\desktop.ini
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-02-18 11:20 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-02-18 11:20 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2006-12-16 16:41 22 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 7:31:26.11 ===============

#13 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:56 PM

Posted 12 April 2009 - 10:18 AM

Looks good :)
===========
Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
===============
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version.
======================
Delete\uninstall anything else that we have used.


If you are using Vista then see this link > http://www.bleepingcomputer.com/tutorials/...143.html#manual
=====================================
After that your log is clean. :thumbup2:


The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users