Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

antivir 2009 pro infection, Vundo.H


  • This topic is locked This topic is locked
11 replies to this topic

#1 bhengr

bhengr

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 02 August 2009 - 07:19 PM

I went through the prep steps to post the dds and attach files. Unfortunately, before joining this forum I have already run Malwarebytes and removed what it found. I can attach it's log file if you wish. It removed the trojan Vundo.H.

Thanks for your help!
Bruce

Attached File  DDS.txt   12.78KB   2 downloads
Attached File  Attach.txt   18.05KB   1 downloads

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 11 August 2009 - 04:55 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



If you still require assistance post a new set of DDS Logs and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log please refer to this page and in step #6 there is instructions on downloading and running DDS. IF you have any problems just let me know in your next reply or simply post a Hijackthis log.

Thanks again and we apologzie for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 bhengr

bhengr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 11 August 2009 - 09:26 PM

Hello EB,

Thank you for helping me out with this hijack. Before joining this forum and reading the pinned stuff, I had already run malwarebyte and removed what it found. It found Vundo.H trojan among other things. I allowed it to remove all that it found. I can post the malwarebytes log if that would be a help.

After doing that I have not had the fale alerts and continuous pop ups. However, this is the second time I have gotten this so I think the trojan is still residing somewhere on my computer. Also, it appears that some of the "anitvir 2009 pro" stuff is still in the registry (redirects etc).

Here is a fresh dss scan that I just ran (dds and attach file):

Thank you,
Bruce

DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 22:06:37.86 on Tue 08/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.305 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\zip\HJT\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ShowWnd] ShowWnd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\owner\local settings\temp\{d7b588b5-1281-433a-abe9-3fc4dddc1f4c}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127581489562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148347970140
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://disney.webex.com/client/v_mywebex-disney/webex/ieatgpc.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Filter: text/html - {f7dcb2b4-aa72-4234-acce-9333a8a3785b} - c:\windows\system32\xwreg32.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs:
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-26 201320]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2008-2-10 110304]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-5-26 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-5-26 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-5-26 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-5-26 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-5-26 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-5-26 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-5-26 33832]

=============== Created Last 30 ================

2009-08-07 16:07 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-08-07 16:07 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-08-07 16:07 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-08-07 15:58 21,760 a------- c:\windows\system32\drivers\point32.sys
2009-08-07 15:58 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-08-07 15:57 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-08-07 15:57 14,736 a------- c:\windows\system32\drivers\nuidfltr.sys
2009-08-07 15:57 <DIR> --d----- c:\program files\Microsoft IntelliType Pro
2009-08-03 11:57 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-08-03 11:57 <DIR> --d----- c:\program files\Roxio
2009-08-03 11:52 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-08-03 11:51 <DIR> --d----- c:\program files\common files\Research In Motion
2009-08-03 11:51 <DIR> --d----- c:\program files\Research In Motion
2009-08-02 19:05 687,104 a------- c:\windows\isRS-000.tmp
2009-07-31 10:31 <DIR> --d----- c:\program files\Shared
2009-07-25 10:50 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-07-25 10:48 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-07-25 09:26 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-07-24 22:36 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-24 22:36 <DIR> --d----- c:\windows\ie8updates
2009-07-24 22:35 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-24 22:35 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 22:32 <DIR> -cd-h--- c:\windows\ie8
2009-07-24 22:01 <DIR> --d----- c:\program files\CCleaner

==================== Find3M ====================

2009-08-07 16:08 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-07 16:08 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-02 17:41 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 17:43 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 21:09 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-19 17:07 410,984 a------- c:\windows\system32\deploytk.dll
2005-12-20 12:01 486 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-10-20 10:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 22:07:27.86 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/19/2005 12:24:18 PM
System Uptime: 8/11/2009 8:56:57 AM (14 hours ago)

Motherboard: MICRO-STAR | | MS-7145
Processor: AMD Athlon™ 64 Processor 3400+ | Socket 754 | 2393/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 182 GiB total, 135.978 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.987 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_145C1462&REV_10\4&2E26DDEC&0&18A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_145C1462&REV_10\4&2E26DDEC&0&18A4
Service: RTL8023xp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\B57DD310DC00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\B57DD310DC00
Service: NIC1394

==== System Restore Points ===================

RP1177: 5/13/2009 11:15:19 PM - Software Distribution Service 3.0
RP1178: 5/15/2009 7:14:04 AM - System Checkpoint
RP1179: 5/17/2009 9:16:22 AM - System Checkpoint
RP1180: 5/18/2009 9:35:26 AM - System Checkpoint
RP1181: 5/19/2009 2:34:13 PM - System Checkpoint
RP1182: 5/19/2009 5:06:50 PM - Installed Java™ 6 Update 13
RP1183: 5/19/2009 5:07:53 PM - Installed MSN Toolbar Setup
RP1184: 5/20/2009 5:31:23 PM - System Checkpoint
RP1185: 5/21/2009 6:08:48 PM - System Checkpoint
RP1186: 5/22/2009 4:52:04 PM - Installed Compatibility Pack for the 2007 Office system
RP1187: 5/23/2009 5:27:47 PM - System Checkpoint
RP1188: 5/24/2009 6:20:04 PM - System Checkpoint
RP1189: 5/25/2009 7:44:55 PM - System Checkpoint
RP1190: 5/26/2009 3:00:26 PM - Removed MSN Toolbar
RP1191: 5/26/2009 3:01:02 PM - Removed Microsoft Search Enhancement Pack
RP1192: 5/26/2009 3:01:13 PM - Removed Microsoft Default Manager
RP1193: 5/26/2009 8:32:42 PM - Software Distribution Service 3.0
RP1194: 5/26/2009 9:02:53 PM - Software Distribution Service 3.0
RP1195: 5/26/2009 9:24:20 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1196: 5/26/2009 9:26:07 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1197: 5/26/2009 9:27:53 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1198: 5/26/2009 9:29:34 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1199: 5/26/2009 9:31:29 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1200: 5/26/2009 9:33:16 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1201: 5/26/2009 9:35:36 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1202: 5/26/2009 9:36:54 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1203: 5/26/2009 9:40:14 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1204: 5/26/2009 9:42:11 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1205: 5/26/2009 9:45:10 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1206: 5/26/2009 9:47:30 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1207: 5/26/2009 9:49:39 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1208: 5/26/2009 9:51:22 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1209: 5/26/2009 9:52:36 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1210: 5/26/2009 9:54:15 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1211: 5/26/2009 10:04:07 PM - Software Distribution Service 3.0
RP1212: 5/26/2009 10:52:22 PM - Restore Operation
RP1213: 5/26/2009 11:02:33 PM - Removed MSN Toolbar
RP1214: 5/26/2009 11:02:48 PM - Removed Microsoft Search Enhancement Pack
RP1215: 5/26/2009 11:02:58 PM - Removed Microsoft Default Manager
RP1216: 5/26/2009 11:56:19 PM - Installed Opera 9.64
RP1217: 5/28/2009 8:00:08 AM - System Checkpoint
RP1218: 5/29/2009 8:19:16 AM - System Checkpoint
RP1219: 5/30/2009 10:50:33 AM - System Checkpoint
RP1220: 5/31/2009 3:31:22 PM - System Checkpoint
RP1221: 6/1/2009 4:23:22 PM - System Checkpoint
RP1222: 6/2/2009 4:55:55 PM - System Checkpoint
RP1223: 6/3/2009 6:31:10 PM - System Checkpoint
RP1224: 6/4/2009 6:45:04 PM - System Checkpoint
RP1225: 6/5/2009 10:33:22 PM - System Checkpoint
RP1226: 6/7/2009 9:12:30 AM - System Checkpoint
RP1227: 6/8/2009 9:47:09 AM - System Checkpoint
RP1228: 6/9/2009 3:12:20 PM - System Checkpoint
RP1229: 6/9/2009 10:30:12 PM - Software Distribution Service 3.0
RP1230: 6/10/2009 11:23:34 PM - System Checkpoint
RP1231: 6/10/2009 11:43:07 PM - Software Distribution Service 3.0
RP1232: 6/12/2009 11:52:29 PM - System Checkpoint
RP1233: 6/14/2009 8:07:41 AM - System Checkpoint
RP1234: 6/15/2009 9:49:01 AM - System Checkpoint
RP1235: 6/16/2009 10:08:46 AM - System Checkpoint
RP1236: 6/17/2009 10:13:21 AM - System Checkpoint
RP1237: 6/18/2009 1:37:52 PM - System Checkpoint
RP1238: 6/19/2009 3:31:24 PM - System Checkpoint
RP1239: 6/20/2009 5:20:16 PM - System Checkpoint
RP1240: 6/21/2009 5:27:13 PM - System Checkpoint
RP1241: 6/22/2009 5:51:45 PM - System Checkpoint
RP1242: 6/23/2009 7:47:33 PM - System Checkpoint
RP1243: 6/25/2009 12:40:56 AM - System Checkpoint
RP1244: 6/26/2009 10:46:37 AM - System Checkpoint
RP1245: 6/27/2009 12:54:21 PM - System Checkpoint
RP1246: 6/28/2009 2:46:01 PM - System Checkpoint
RP1247: 6/29/2009 4:17:40 PM - System Checkpoint
RP1248: 6/30/2009 5:53:40 PM - System Checkpoint
RP1249: 7/1/2009 6:44:13 PM - System Checkpoint
RP1250: 7/2/2009 6:50:21 PM - System Checkpoint
RP1251: 7/3/2009 7:37:14 PM - System Checkpoint
RP1252: 7/4/2009 8:01:09 PM - System Checkpoint
RP1253: 7/5/2009 10:21:45 PM - System Checkpoint
RP1254: 7/7/2009 8:52:01 AM - System Checkpoint
RP1255: 7/8/2009 9:06:36 AM - System Checkpoint
RP1256: 7/9/2009 9:19:35 AM - System Checkpoint
RP1257: 7/10/2009 2:02:19 PM - System Checkpoint
RP1258: 7/11/2009 4:18:23 PM - System Checkpoint
RP1259: 7/12/2009 4:35:02 PM - System Checkpoint
RP1260: 7/13/2009 5:13:09 PM - System Checkpoint
RP1261: 7/14/2009 9:17:43 PM - System Checkpoint
RP1262: 7/15/2009 6:04:03 PM - Software Distribution Service 3.0
RP1263: 7/17/2009 7:22:23 AM - System Checkpoint
RP1264: 7/18/2009 9:48:32 AM - System Checkpoint
RP1265: 7/19/2009 11:18:08 AM - System Checkpoint
RP1266: 7/20/2009 12:05:13 PM - System Checkpoint
RP1267: 7/21/2009 1:09:52 PM - System Checkpoint
RP1268: 7/22/2009 4:10:51 PM - System Checkpoint
RP1269: 7/22/2009 11:04:20 PM - Software Distribution Service 3.0
RP1270: 7/24/2009 11:29:10 AM - System Checkpoint
RP1271: 7/24/2009 10:27:58 PM - Software Distribution Service 3.0
RP1272: 7/25/2009 10:35:10 PM - System Checkpoint
RP1273: 7/26/2009 5:50:52 PM - Removed MapleStory
RP1274: 7/26/2009 5:53:45 PM - Removed Star Wars Galactic Battlegrounds: Clone Campaigns
RP1275: 7/27/2009 8:39:55 PM - System Checkpoint
RP1276: 7/28/2009 9:09:54 PM - System Checkpoint
RP1277: 7/29/2009 7:47:32 PM - Software Distribution Service 3.0
RP1278: 7/31/2009 8:17:13 AM - System Checkpoint
RP1279: 7/31/2009 11:36:02 PM - Software Distribution Service 3.0
RP1280: 8/2/2009 8:47:37 AM - System Checkpoint
RP1281: 8/3/2009 11:32:24 AM - System Checkpoint
RP1282: 8/3/2009 11:51:09 AM - Installed BlackBerry Desktop Software 4.5.
RP1283: 8/3/2009 11:57:22 AM - Installed Roxio Media Manager
RP1284: 8/4/2009 1:31:04 PM - System Checkpoint
RP1285: 8/5/2009 2:29:21 PM - System Checkpoint
RP1286: 8/6/2009 2:38:54 PM - System Checkpoint
RP1287: 8/7/2009 4:08:16 PM - Installed Windows XP Wdf01005.
RP1288: 8/8/2009 2:09:20 PM - Software Distribution Service 3.0
RP1289: 8/9/2009 5:26:32 PM - System Checkpoint
RP1290: 8/10/2009 6:06:04 PM - System Checkpoint
RP1291: 8/11/2009 7:27:21 PM - System Checkpoint

==== Installed Programs ======================

Activision Value\Atlantis Underwater Tycoon
Ad-Aware SE Personal
Adobe Acrobat Reader 3.01
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
AndreaMosaic 3.21
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Beyond Pearl Harbor - Pacific Warriors
BlackBerry Desktop Software 4.5
Blast Thru Special Edition
Bonjour
Canon MF Drivers
Canon MF Toolbox 4.7.0.0.mf02
CCleaner (remove only)
Checkers Special Edition
Civilization III
Civilization III Play the World
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Digital Media Reader
Dinosaur Battles™
Google Calendar Sync
Google Toolbar for Internet Explorer
Grade Builder Algebra 1
Grammar for the Real World
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImageMixer VCD/DVD2 for OLYMPUS
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 13
Java™ 6 Update 3
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
JumpStart Typing
Learn2 Player (Uninstall Only)
LEGO Star Wars
MagicTune3.5_Client
Mall Tycoon 3
Malwarebytes' Anti-Malware
Mazes Special Edition
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft ActiveSync 4.0
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mini Golf Special Edition
MMS Winter Wonderland Screen Saver
MMs ScreenSaver
MSN Gaming Zone
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
Nemesis of the Roman Empire
Nero BurnRights
Nero OEM
OLYMPUS Master
Opera 9.64
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Recovery Software Suite eMachines
RollerCoaster Tycoon 3 Platinum
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Sid Meier's Civilization 4
SimTheme Park
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
Spider-Man ™ Movie
SpongeBob SquarePants Typing
Star Wars Battlefront II
Star Wars Math
TeLL me More
Treasure Cove!
Treasure MathStorm!
Typing Tutor 10
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
WebEx
WebFldrs XP
Who Wants To Be A Millionaire
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB890760
Windows XP Media Center Edition 2005 KB895198
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinZip
XML Paper Specification Shared Components Pack 1.0
Zoo Tycoon 2
Zoo Tycoon: Complete Collection

==== Event Viewer Messages From Past Week ========

8/8/2009 5:31:20 PM, error: BROWSER [8019] - The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
8/8/2009 5:30:18 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
8/8/2009 5:30:14 PM, error: Service Control Manager [7034] - The MBackMonitor service terminated unexpectedly. It has done this 1 time(s).
8/8/2009 3:53:40 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.193. The machine with the IP address 192.168.0.196 did not allow the name to be claimed by this machine.
8/8/2009 3:25:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
8/8/2009 2:07:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
8/8/2009 1:47:07 PM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is YOUR-9FD2694BB6.

==== End Of File ===========================

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 12 August 2009 - 11:58 AM

Hello.

Thank you for helping me out with this hijack. Before joining this forum and reading the pinned stuff, I had already run malwarebyte and removed what it found. It found Vundo.H trojan among other things. I allowed it to remove all that it found. I can post the malwarebytes log if that would be a help.

Yes, post the log please. :thumbup2:

Then, let's update Java run an online scan and see what's left.

Update Java to Java 6 Update 16

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 16.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the Posted Image button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the Posted Image button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 bhengr

bhengr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 12 August 2009 - 08:39 PM

Hi EB,

Able to accomplish all steps except the Kas online scan. The site has a bug that results in a full download with error following the definition download. Error says "Key has expired". Sorta weird. Same result on my other computer that is not infected. I downloaded trial version of Kaspersky and did a full scan. I attached those results last.

I also am attaching 2 malwarebyte logs. I actually ran it twice and had it remove what it found (this happened before I joined this forum).

Thank you,
Bruce
----------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

8/2/2009 7:24:27 PM
mbam-log-2009-08-02 (19-24-27).txt

Scan type: Quick Scan
Objects scanned: 101884
Time elapsed: 8 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 12
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\palowaru.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sapahore.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\matizava.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1bcaceea-5bfe-42ef-8929-b2c172245ebc} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{1bcaceea-5bfe-42ef-8929-b2c172245ebc} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1bcaceea-5bfe-42ef-8929-b2c172245ebc} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yikebowafa (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmffeadcb8 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sapahore.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sapahore.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\matizava.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\matizava.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\matizava.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\palowaru.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\sapahore.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\garopudu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\matizava.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\syssvc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
--------------------------------------------------------------------------------------------------------------------


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

8/8/2009 3:22:20 PM
mbam-log-2009-08-08 (15-22-20).txt

Scan type: Quick Scan
Objects scanned: 118488
Time elapsed: 17 minute(s), 18 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
----------------------------------------------------------------------------------------

Quick Scan: completed 8/12/2009 6:34:54 PM (events: 24, objects: , time: 00:00:00)
8/12/2009 6:30:09 PM Task started
8/12/2009 6:34:54 PM Task completed
Quick Scan: completed 8/12/2009 6:34:54 PM (events: 24, objects: , time: 00:00:00)
8/12/2009 6:46:15 PM Task started
8/12/2009 6:46:21 PM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ xwreg32.dll
8/12/2009 6:46:21 PM Untreated Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ xwreg32.dll Postponed
8/12/2009 6:47:31 PM Detected Vulnerability http://www.viruslist.com/en/advisories/27361 Low Exact File C:\program files\real\realplayer\ realplay.exe
8/12/2009 6:47:36 PM Detected Vulnerability http://www.viruslist.com/en/advisories/35314 Low Exact File C:\program files\itunes\ itunes.exe
8/12/2009 6:47:37 PM Detected Vulnerability http://www.viruslist.com/en/advisories/35091 Low Exact File C:\program files\quicktime\ quicktimeplayer.exe
8/12/2009 7:20:40 PM Detected Vulnerability http://www.viruslist.com/en/advisories/34580 Low Exact File C:\program files\Adobe\Acrobat 7.0\Reader\plug_ins\ Annots.api
8/12/2009 7:25:30 PM Detected Vulnerability http://www.viruslist.com/en/advisories/26027 Low Exact File C:\program files\Common Files\AOL\ Flasha.ocx
8/12/2009 7:57:19 PM Detected Vulnerability http://www.viruslist.com/en/advisories/35948 Low Exact File C:\program files\Opera\program\plugins\ NPSWF32.dll
8/12/2009 7:58:22 PM Detected Vulnerability http://www.viruslist.com/en/advisories/27361 Low Exact File C:\program files\real\realplayer\ realplay.exe
8/12/2009 8:14:53 PM Detected Vulnerability http://www.viruslist.com/en/advisories/36127 Low Exact File C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ aspnet_wp.exe
8/12/2009 8:18:22 PM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ xwreg32.dll
8/12/2009 8:18:23 PM Untreated Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ xwreg32.dll Postponed
8/12/2009 8:19:06 PM Detected Vulnerability http://www.viruslist.com/en/advisories/35948 Low Exact File C:\WINDOWS\system32\Macromed\Flash\ Flash10b.ocx
8/12/2009 8:19:06 PM Detected Vulnerability http://www.viruslist.com/en/advisories/35948 Low Exact File C:\WINDOWS\system32\Macromed\Flash\ NPSWF32.dll
8/12/2009 8:19:32 PM Detected Vulnerability http://www.viruslist.com/en/advisories/23655 Low Exact File C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\ msxml4.dll
8/12/2009 8:19:32 PM Detected Vulnerability http://www.viruslist.com/en/advisories/23655 Low Exact File C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9839.0_x-ww_ed80bd5c\ msxml4.dll
8/12/2009 8:19:33 PM Detected Vulnerability http://www.viruslist.com/en/advisories/23655 Low Exact File C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9841.0_x-ww_18171213\ msxml4.dll
8/12/2009 8:19:34 PM Detected Vulnerability http://www.viruslist.com/en/advisories/23655 Low Exact File C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9848.0_x-ww_1b897e9a\ msxml4.dll
8/12/2009 8:19:47 PM Detected Vulnerability http://www.viruslist.com/en/advisories/32270 Low Exact File D:\i386\Apps\App10224\ swflash.ocx
8/12/2009 8:27:24 PM Detected Virus HEUR:Trojan.Win32.Generic High Partial File C:\WINDOWS\system32\ xwreg32.dll
8/12/2009 8:27:34 PM Task completed

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 12 August 2009 - 08:48 PM

Hello.

It seems to be an issue on Kaspersky side. We are going to run an alternative scanner.

Instructions are below:

Run ESET Online Scan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
You can refer to this animation by neomage if needed.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 bhengr

bhengr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 14 August 2009 - 12:21 AM

Hi EB,

ESET scan did not find any threats, so it did not generate a log. However, I did install a trial version of Kaspersky an it did find two trojans (see my previous post). Also, something is generating 20 instances of iexplore.exe. So I think some type of malware is still present.

I'll wait for your next steps.

Thanks,
Bruce

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 14 August 2009 - 11:32 AM

Hello.

Yes, the trial version of Kaspersky did detect a infection. Most of them were vulnerabilites instead of infections though. We will remove those.

iexplorer.exe shows up multiple times when you are using internet explorer 8. I have IE8 too and I have currently 6 iexplore.exe process running while I only have one internet explore window open.

Take a look here: http://www.winhelponline.com/blog/multiple...net-explorer-8/

Please re-run DDS and post back with a new set of DDS adn Attach logs for my review.

Do you still have any other issues, problems or symptoms left?

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 bhengr

bhengr
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 14 August 2009 - 09:32 PM

Hi EB,

Computer appears to behaving normally recently. I am concerned about all the newer registry entries...am concerned that they are the result of malware. I am attaching the dds and attach files. Also did a malwarebytes scan (scan only). Am attaching that log also.

I am going on vacation in the morning for 2 weeks! Unfortunately I don't think we'll be finished. I will likely be able to take one more step in the morning if you are able to post tonight.

In any case, I hope we can pick back up when I return. Please let me know next steps and if/how to pick back up when I return.

Thanks for your help!
Bruce


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 22:15:27.21 on Fri 08/14/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.349 [GMT -4:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\zip\HJT\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\ievkbd.dll
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\shared\lib.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [H/PC Connection Agent] "c:\progra~1\mi3aa1~1\wcescomm.exe"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunKistEM] c:\program files\digital media reader\shwiconem.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CHotkey] zHotkey.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\owner\local settings\temp\{d7b588b5-1281-433a-abe9-3fc4dddc1f4c}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\google~1.lnk - c:\program files\google\google calendar sync\GoogleCalendarSync.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 2009\SCIEPlgn.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127581489562
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148347970140
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://disney.webex.com/client/v_mywebex-disney/webex/ieatgpc.cab
DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - hxxp://fdl.msn.com/zone/datafiles/heartbeat.cab
Filter: text/html - {f7dcb2b4-aa72-4234-acce-9333a8a3785b} - c:\windows\system32\xwreg32.dll
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: ,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2008-7-21 121872]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-8-12 226832]
R2 ACEDRV09;ACEDRV09;c:\windows\system32\drivers\ACEDRV09.sys [2008-2-10 110304]
R2 AVP;Kaspersky Anti-Virus;c:\program files\kaspersky lab\kaspersky anti-virus 2009\avp.exe [2008-11-11 208616]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-4-30 24592]

=============== Created Last 30 ================

2009-08-13 21:25 <DIR> --d----- c:\program files\ESET
2009-08-12 18:26 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-08-12 18:26 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-08-12 18:26 4,806,176 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-12 18:26 417,824 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-08-12 18:26 38,628 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-08-12 18:26 2,508 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-08-12 18:26 <DIR> --d----- c:\program files\Kaspersky Lab
2009-08-12 18:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-08-12 18:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-08-12 17:24 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 17:24 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-12 16:31 73,728 a------- c:\windows\system32\javacpl.cpl
2009-08-12 15:42 256 a------- c:\windows\system32\pool.bin
2009-08-12 15:42 <DIR> --d----- c:\docume~1\owner\applic~1\Research In Motion
2009-08-07 16:07 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-08-07 16:07 14,592 ac------ c:\windows\system32\dllcache\kbdhid.sys
2009-08-07 16:07 14,592 a------- c:\windows\system32\drivers\kbdhid.sys
2009-08-07 15:58 21,760 a------- c:\windows\system32\drivers\point32.sys
2009-08-07 15:58 <DIR> --d----- c:\program files\Microsoft IntelliPoint
2009-08-07 15:57 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-08-07 15:57 14,736 a------- c:\windows\system32\drivers\nuidfltr.sys
2009-08-07 15:57 <DIR> --d----- c:\program files\Microsoft IntelliType Pro
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-03 11:57 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-08-03 11:57 <DIR> --d----- c:\program files\Roxio
2009-08-03 11:52 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-08-03 11:51 <DIR> --d----- c:\program files\common files\Research In Motion
2009-08-03 11:51 <DIR> --d----- c:\program files\Research In Motion
2009-08-02 19:05 687,104 a------- c:\windows\isRS-000.tmp
2009-07-31 10:31 <DIR> --d----- c:\program files\Shared
2009-07-25 10:50 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-07-25 10:48 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-07-25 09:26 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-07-24 22:36 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-24 22:36 <DIR> --d----- c:\windows\ie8updates
2009-07-24 22:35 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-24 22:35 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-24 22:32 <DIR> -cd-h--- c:\windows\ie8
2009-07-24 22:01 <DIR> --d----- c:\program files\CCleaner
2009-07-17 15:01 58,880 -c------ c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-12 20:27 14,360 a------- c:\windows\system32\xwreg32.dll
2009-08-12 18:36 33,808 a------- c:\windows\system32\drivers\klbg.sys
2009-08-12 16:31 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-07 16:08 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-08-07 16:08 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-02 17:41 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-24 07:18 92,928 a------- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 17:43 43,520 a------- c:\windows\system32\CmdLineExt03.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 21:09 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2005-12-20 12:01 486 a------- c:\docume~1\owner\applic~1\wklnhst.dat
2008-10-20 10:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102020081021\index.dat

============= FINISH: 22:16:14.96 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/19/2005 12:24:18 PM
System Uptime: 8/14/2009 8:49:25 AM (14 hours ago)

Motherboard: MICRO-STAR | | MS-7145
Processor: AMD Athlon™ 64 Processor 3400+ | Socket 754 | 2393/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 182 GiB total, 134.444 GiB free.
D: is FIXED (FAT32) - 4 GiB total, 0.987 GiB free.
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139/810x Family Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_145C1462&REV_10\4&2E26DDEC&0&18A4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8139/810x Family Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_145C1462&REV_10\4&2E26DDEC&0&18A4
Service: RTL8023xp

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\B57DD310DC00
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\B57DD310DC00
Service: NIC1394

==== System Restore Points ===================

RP1179: 5/17/2009 9:16:22 AM - System Checkpoint
RP1180: 5/18/2009 9:35:26 AM - System Checkpoint
RP1181: 5/19/2009 2:34:13 PM - System Checkpoint
RP1182: 5/19/2009 5:06:50 PM - Installed Java™ 6 Update 13
RP1183: 5/19/2009 5:07:53 PM - Installed MSN Toolbar Setup
RP1184: 5/20/2009 5:31:23 PM - System Checkpoint
RP1185: 5/21/2009 6:08:48 PM - System Checkpoint
RP1186: 5/22/2009 4:52:04 PM - Installed Compatibility Pack for the 2007 Office system
RP1187: 5/23/2009 5:27:47 PM - System Checkpoint
RP1188: 5/24/2009 6:20:04 PM - System Checkpoint
RP1189: 5/25/2009 7:44:55 PM - System Checkpoint
RP1190: 5/26/2009 3:00:26 PM - Removed MSN Toolbar
RP1191: 5/26/2009 3:01:02 PM - Removed Microsoft Search Enhancement Pack
RP1192: 5/26/2009 3:01:13 PM - Removed Microsoft Default Manager
RP1193: 5/26/2009 8:32:42 PM - Software Distribution Service 3.0
RP1194: 5/26/2009 9:02:53 PM - Software Distribution Service 3.0
RP1195: 5/26/2009 9:24:20 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1196: 5/26/2009 9:26:07 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1197: 5/26/2009 9:27:53 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1198: 5/26/2009 9:29:34 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1199: 5/26/2009 9:31:29 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1200: 5/26/2009 9:33:16 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1201: 5/26/2009 9:35:36 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1202: 5/26/2009 9:36:54 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1203: 5/26/2009 9:40:14 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1204: 5/26/2009 9:42:11 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1205: 5/26/2009 9:45:10 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1206: 5/26/2009 9:47:30 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1207: 5/26/2009 9:49:39 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1208: 5/26/2009 9:51:22 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1209: 5/26/2009 9:52:36 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1210: 5/26/2009 9:54:15 PM - Printer Driver Microsoft XPS Document Writer Installed
RP1211: 5/26/2009 10:04:07 PM - Software Distribution Service 3.0
RP1212: 5/26/2009 10:52:22 PM - Restore Operation
RP1213: 5/26/2009 11:02:33 PM - Removed MSN Toolbar
RP1214: 5/26/2009 11:02:48 PM - Removed Microsoft Search Enhancement Pack
RP1215: 5/26/2009 11:02:58 PM - Removed Microsoft Default Manager
RP1216: 5/26/2009 11:56:19 PM - Installed Opera 9.64
RP1217: 5/28/2009 8:00:08 AM - System Checkpoint
RP1218: 5/29/2009 8:19:16 AM - System Checkpoint
RP1219: 5/30/2009 10:50:33 AM - System Checkpoint
RP1220: 5/31/2009 3:31:22 PM - System Checkpoint
RP1221: 6/1/2009 4:23:22 PM - System Checkpoint
RP1222: 6/2/2009 4:55:55 PM - System Checkpoint
RP1223: 6/3/2009 6:31:10 PM - System Checkpoint
RP1224: 6/4/2009 6:45:04 PM - System Checkpoint
RP1225: 6/5/2009 10:33:22 PM - System Checkpoint
RP1226: 6/7/2009 9:12:30 AM - System Checkpoint
RP1227: 6/8/2009 9:47:09 AM - System Checkpoint
RP1228: 6/9/2009 3:12:20 PM - System Checkpoint
RP1229: 6/9/2009 10:30:12 PM - Software Distribution Service 3.0
RP1230: 6/10/2009 11:23:34 PM - System Checkpoint
RP1231: 6/10/2009 11:43:07 PM - Software Distribution Service 3.0
RP1232: 6/12/2009 11:52:29 PM - System Checkpoint
RP1233: 6/14/2009 8:07:41 AM - System Checkpoint
RP1234: 6/15/2009 9:49:01 AM - System Checkpoint
RP1235: 6/16/2009 10:08:46 AM - System Checkpoint
RP1236: 6/17/2009 10:13:21 AM - System Checkpoint
RP1237: 6/18/2009 1:37:52 PM - System Checkpoint
RP1238: 6/19/2009 3:31:24 PM - System Checkpoint
RP1239: 6/20/2009 5:20:16 PM - System Checkpoint
RP1240: 6/21/2009 5:27:13 PM - System Checkpoint
RP1241: 6/22/2009 5:51:45 PM - System Checkpoint
RP1242: 6/23/2009 7:47:33 PM - System Checkpoint
RP1243: 6/25/2009 12:40:56 AM - System Checkpoint
RP1244: 6/26/2009 10:46:37 AM - System Checkpoint
RP1245: 6/27/2009 12:54:21 PM - System Checkpoint
RP1246: 6/28/2009 2:46:01 PM - System Checkpoint
RP1247: 6/29/2009 4:17:40 PM - System Checkpoint
RP1248: 6/30/2009 5:53:40 PM - System Checkpoint
RP1249: 7/1/2009 6:44:13 PM - System Checkpoint
RP1250: 7/2/2009 6:50:21 PM - System Checkpoint
RP1251: 7/3/2009 7:37:14 PM - System Checkpoint
RP1252: 7/4/2009 8:01:09 PM - System Checkpoint
RP1253: 7/5/2009 10:21:45 PM - System Checkpoint
RP1254: 7/7/2009 8:52:01 AM - System Checkpoint
RP1255: 7/8/2009 9:06:36 AM - System Checkpoint
RP1256: 7/9/2009 9:19:35 AM - System Checkpoint
RP1257: 7/10/2009 2:02:19 PM - System Checkpoint
RP1258: 7/11/2009 4:18:23 PM - System Checkpoint
RP1259: 7/12/2009 4:35:02 PM - System Checkpoint
RP1260: 7/13/2009 5:13:09 PM - System Checkpoint
RP1261: 7/14/2009 9:17:43 PM - System Checkpoint
RP1262: 7/15/2009 6:04:03 PM - Software Distribution Service 3.0
RP1263: 7/17/2009 7:22:23 AM - System Checkpoint
RP1264: 7/18/2009 9:48:32 AM - System Checkpoint
RP1265: 7/19/2009 11:18:08 AM - System Checkpoint
RP1266: 7/20/2009 12:05:13 PM - System Checkpoint
RP1267: 7/21/2009 1:09:52 PM - System Checkpoint
RP1268: 7/22/2009 4:10:51 PM - System Checkpoint
RP1269: 7/22/2009 11:04:20 PM - Software Distribution Service 3.0
RP1270: 7/24/2009 11:29:10 AM - System Checkpoint
RP1271: 7/24/2009 10:27:58 PM - Software Distribution Service 3.0
RP1272: 7/25/2009 10:35:10 PM - System Checkpoint
RP1273: 7/26/2009 5:50:52 PM - Removed MapleStory
RP1274: 7/26/2009 5:53:45 PM - Removed Star Wars Galactic Battlegrounds: Clone Campaigns
RP1275: 7/27/2009 8:39:55 PM - System Checkpoint
RP1276: 7/28/2009 9:09:54 PM - System Checkpoint
RP1277: 7/29/2009 7:47:32 PM - Software Distribution Service 3.0
RP1278: 7/31/2009 8:17:13 AM - System Checkpoint
RP1279: 7/31/2009 11:36:02 PM - Software Distribution Service 3.0
RP1280: 8/2/2009 8:47:37 AM - System Checkpoint
RP1281: 8/3/2009 11:32:24 AM - System Checkpoint
RP1282: 8/3/2009 11:51:09 AM - Installed BlackBerry Desktop Software 4.5.
RP1283: 8/3/2009 11:57:22 AM - Installed Roxio Media Manager
RP1284: 8/4/2009 1:31:04 PM - System Checkpoint
RP1285: 8/5/2009 2:29:21 PM - System Checkpoint
RP1286: 8/6/2009 2:38:54 PM - System Checkpoint
RP1287: 8/7/2009 4:08:16 PM - Installed Windows XP Wdf01005.
RP1288: 8/8/2009 2:09:20 PM - Software Distribution Service 3.0
RP1289: 8/9/2009 5:26:32 PM - System Checkpoint
RP1290: 8/10/2009 6:06:04 PM - System Checkpoint
RP1291: 8/11/2009 7:27:21 PM - System Checkpoint
RP1292: 8/12/2009 4:16:59 PM - Removed Java™ SE Runtime Environment 6 Update 1
RP1293: 8/12/2009 4:18:13 PM - Removed Java™ 6 Update 3
RP1294: 8/12/2009 4:19:18 PM - Removed Java™ 6 Update 5
RP1295: 8/12/2009 4:20:38 PM - Removed J2SE Runtime Environment 5.0 Update 2
RP1296: 8/12/2009 4:21:25 PM - Removed J2SE Runtime Environment 5.0 Update 6
RP1297: 8/12/2009 4:23:14 PM - Removed J2SE Runtime Environment 5.0 Update 9
RP1298: 8/12/2009 4:23:55 PM - Removed J2SE Runtime Environment 5.0 Update 10
RP1299: 8/12/2009 4:25:04 PM - Removed Java™ 6 Update 13
RP1300: 8/12/2009 4:31:09 PM - Installed Java™ 6 Update 16
RP1301: 8/12/2009 6:25:38 PM - Installed Kaspersky Anti-Virus 2009.
RP1302: 8/12/2009 10:53:56 PM - Software Distribution Service 3.0
RP1303: 8/14/2009 10:40:29 AM - System Checkpoint

==== Installed Programs ======================

Activision Value\Atlantis Underwater Tycoon
Ad-Aware SE Personal
Adobe Acrobat Reader 3.01
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
AndreaMosaic 3.21
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Beyond Pearl Harbor - Pacific Warriors
BlackBerry Desktop Software 4.5
Blast Thru Special Edition
Bonjour
Canon MF Drivers
Canon MF Toolbox 4.7.0.0.mf02
CCleaner (remove only)
Checkers Special Edition
Civilization III
Civilization III Play the World
ClearType Tuning Control Panel Applet
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Digital Media Reader
Dinosaur Battles™
ESET Online Scanner v3
Google Calendar Sync
Google Toolbar for Internet Explorer
Grade Builder Algebra 1
Grammar for the Real World
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ImageMixer VCD/DVD2 for OLYMPUS
iTunes
Java™ 6 Update 16
JumpStart Typing
Kaspersky Anti-Virus 2009
Learn2 Player (Uninstall Only)
LEGO Star Wars
MagicTune3.5_Client
Mall Tycoon 3
Malwarebytes' Anti-Malware
Mazes Special Edition
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft ActiveSync 4.0
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Library 9 - Blocker
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Library 10
Microsoft Picture It! Premium 10
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mini Golf Special Edition
MMS Winter Wonderland Screen Saver
MMs ScreenSaver
MSN Gaming Zone
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
Nemesis of the Roman Empire
Nero BurnRights
Nero OEM
OLYMPUS Master
Opera 9.64
PowerDVD
QuickTime
RealPlayer Basic
Realtek AC'97 Audio
Recovery Software Suite eMachines
RollerCoaster Tycoon 3 Platinum
Roxio Media Manager
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sid Meier's Civilization 4
SimTheme Park
SoftV92 Data Fax Modem with SmartCP
Sonic Encoders
Spider-Man ™ Movie
SpongeBob SquarePants Typing
Star Wars Battlefront II
Star Wars Math
TeLL me More
Treasure Cove!
Treasure MathStorm!
Typing Tutor 10
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URGE
WebEx
WebFldrs XP
Who Wants To Be A Millionaire
Windows Communication Foundation
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB890760
Windows XP Media Center Edition 2005 KB895198
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinZip
XML Paper Specification Shared Components Pack 1.0
Zoo Tycoon 2
Zoo Tycoon: Complete Collection

==== Event Viewer Messages From Past Week ========

8/8/2009 5:31:20 PM, error: BROWSER [8019] - The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
8/8/2009 5:30:18 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
8/8/2009 5:30:14 PM, error: Service Control Manager [7034] - The MBackMonitor service terminated unexpectedly. It has done this 1 time(s).
8/8/2009 5:24:20 PM, error: NetBT [4321] - The name "MSHOME :1d" could not be registered on the Interface with IP address 192.168.0.193. The machine with the IP address 192.168.0.196 did not allow the name to be claimed by this machine.
8/8/2009 4:11:01 PM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is YOUR-9FD2694BB6.
8/8/2009 3:25:22 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde
8/8/2009 3:25:20 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.

==== End Of File ===========================


Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

8/14/2009 10:25:20 PM
mbam-log-2009-08-14 (22-25-13).txt

Scan type: Quick Scan
Objects scanned: 108416
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Shared\lib.dll (Trojan.BHO) -> No action taken.

#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 15 August 2009 - 09:54 AM

Hello.

Glad it's a bit better.

In any case, I hope we can pick back up when I return. Please let me know next steps and if/how to pick back up when I return.

I'll give you the next set of instructions, but probably won't do much, but I will still post it here and if possible post the results back.

Then, I'll close this topic and once you come back, please Private Message me to re-open the topic, and I will do so and we'll continue from there. Sound okay?

--

Malwarebytes said "no action taken"

Re-run scan with MalwareBytes Anti-Malware

Your MBAM log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead only clicked "Save Logfile. Please read this thread and rescan again only using the (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. After performing the new scan, click the Logs tab and copy/paste the contents of the new report in your next reply.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close any and all open programs, as this process may crash your computer.
  • Double click Posted Image or Posted Image on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.
    If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
    Posted Image
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Sections
    • IAT/EAT
    • Registry
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show all (Don't miss this one!)
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

If GMER doesn't work (as there are crashes/problems with it sometimes), please post back letting me know.

Post back with both logs in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 19 August 2009 - 11:57 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:58 AM

Posted 21 August 2009 - 08:04 AM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic in the Hijackthis-Malware Removal forum.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users