9 replies to this topic

[LL_4]

Hi, I'm hoping someone can tel me if I successfully got rid of a virus I think I had. What happened was, a few days ago, a friend called to tell me, They had recieved an off line message from me in YIM, and it was a spam message. As I wasn't home I know I didn't send it, I then found out a few other people on my contact list have also recieved spam IM's from my account as well. So I did change my password for yahoo. I googled and found Malwarebytes and downloaded it, along with Super Anitspyware. I ran them both, and quarentined and removed what it found.

I'm hoping I've fixed my problem, but I'm concerned if I haven't. I don't want to sign into anything with a password until I know I'm safe. Thanks for any info or help you can offer for this.

Here's the log file from tonight's scan from SuperAntiSW: I ran Malwarebytes after and it didn't find anything else.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2009 at 08:13 PM

Application Version : 4.25.1012

Core Rules Database Version : 3773
Trace Rules Database Version: 1732

Scan type : Quick Scan
Total Scan Time : 00:31:33

Memory items scanned : 435
Memory threats detected : 0
Registry items scanned : 522
Registry threats detected : 0
File items scanned : 10558
File threats detected : 2

Adware.Tracking Cookie
C:\Documents and Settings\Leisenring\Cookies\leisenring@richmedia.yahoo[1].txt
C:\Documents and Settings\Nicky\Cookies\nicky@dc.tremormedia[1].txt


I also ran the HJT scan, and here is the log for that


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:31 PM, on 2/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://qtinstall.inf...ex/QTPlugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - http://cnn-5.vo.llnwd.net/c1/static/cab_he...pWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7451 bytes


Thanks!

Lora

[Tigger93]

Hi.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.

• Close ALL OTHER PROGRAMS.
  
• Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  
• Click the Scan All Users checkbox on the toolbar.
  
• Do not change any other settings.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
  
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  
• Close Notepad (saving the change if necessary).

Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

[LL_4]

Hi, and thanks for quick response!

Here's the log from the OTScanIt2

Attached Files

•  OTScanIt.Txt   161.55K   67 downloads

[Tigger93]

Paste this into the fix box (where it says paste fix here):

[Kill Explorer]
[Win32 Services - Safe List]
YY -> (aspimgr) Microsoft ASPI Manager [Win32_Own | Disabled | Stopped] -> 
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "{0BF43445-2F28-4351-9252-17FE6E806AA0}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{E19E589B-749F-4641-9ED3-032DEB7A8D92}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
[Files/Folders - Created Within 30 Days]
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 7ed887d49149f3903c05a3f70be891 -> %SystemDrive%\7ed887d49149f3903c05a3f70be891
NY -> ea407a8023a0cba0af7eff -> %SystemDrive%\ea407a8023a0cba0af7eff
NY -> b354c87fa820e039d3aea0c9 -> %SystemDrive%\b354c87fa820e039d3aea0c9
[Files/Folders - Modified Within 30 Days]
NY -> 4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> 77 C:\Documents and Settings\Leisenring\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Leisenring\Local Settings\Temp\*.tmp
NY -> 77 C:\Documents and Settings\Leisenring\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Leisenring\Local Settings\Temp\*.tmp
NY -> 77 C:\Documents and Settings\Leisenring\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Leisenring\Local Settings\Temp\*.tmp
NY -> 25 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
NY -> setup.exe -> %UserProfile%\Local Settings\Temp\setup.exe
NY -> SSUPDATE.EXE -> %UserProfile%\Local Settings\Temp\SSUPDATE.EXE
NY -> ywiseext.dll -> %UserProfile%\Local Settings\Temp\4706527\ywiseext.dll
NY -> mfc80.dll -> %UserProfile%\Local Settings\Temp\mfc80.dll
NY -> mfc80.dll -> %SystemRoot%\Temp\tismsi\mfc80.dll
NY -> mfc80u.dll -> %UserProfile%\Local Settings\Temp\mfc80u.dll
NY -> mfc80u.dll -> %SystemRoot%\Temp\tismsi\mfc80u.dll
NY -> atl80.dll -> %UserProfile%\Local Settings\Temp\atl80.dll
NY -> atl80.dll -> %SystemRoot%\Temp\tismsi\atl80.dll
NY -> mfcm80.dll -> %UserProfile%\Local Settings\Temp\mfcm80.dll
NY -> mfcm80.dll -> %SystemRoot%\Temp\tismsi\mfcm80.dll
NY -> mfcm80u.dll -> %UserProfile%\Local Settings\Temp\mfcm80u.dll
NY -> mfcm80u.dll -> %SystemRoot%\Temp\tismsi\mfcm80u.dll
NY -> msvcr80.dll -> %UserProfile%\Local Settings\Temp\msvcr80.dll
NY -> msvcr80.dll -> %SystemRoot%\Temp\tismsi\msvcr80.dll
NY -> msvcp80.dll -> %UserProfile%\Local Settings\Temp\msvcp80.dll
NY -> msvcp80.dll -> %SystemRoot%\Temp\tismsi\msvcp80.dll
NY -> msvcm80.dll -> %UserProfile%\Local Settings\Temp\msvcm80.dll
NY -> msvcm80.dll -> %SystemRoot%\Temp\tismsi\msvcm80.dll
NY -> libexpat.dll -> %UserProfile%\Local Settings\Temp\libexpat.dll
NY -> libexpat.dll -> %SystemRoot%\Temp\tismsi\libexpat.dll
NY -> GENKEY32.dll -> %SystemRoot%\Temp\tismsi\GENKEY32.dll
NY -> TmDbg32.dll -> %UserProfile%\Local Settings\Temp\TmDbg32.dll
NY -> Install_WLMessenger.exe -> %UserProfile%\Local Settings\Temp\Install_WLMessenger.exe
NY -> updscan.dat -> %SystemRoot%\Temp\UPDA9.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPDA9.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPDA9.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD35.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD35.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD35.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD7A.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD7A.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD7A.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD52.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD52.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD52.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD202.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD202.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD202.tmp\updclean.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD14D.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD14D.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD14D.tmp\updscan.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD4B.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD4B.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD4B.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD27A.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD27A.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD27A.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD19A.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD19A.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD19A.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD67.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD67.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD67.tmp\updclean.dat
NY -> updscan.dat -> %SystemRoot%\Temp\UPD59.tmp\updscan.dat
NY -> updnames.dat -> %SystemRoot%\Temp\UPD59.tmp\updnames.dat
NY -> updclean.dat -> %SystemRoot%\Temp\UPD59.tmp\updclean.dat
NY -> IadHide5.dll -> %UserProfile%\Local Settings\Temp\IadHide5.dll
[Alternate Data Streams]
NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Desktop\Thumbs.db:encryptable
NY -> @Alternate Data Stream - 120 bytes -> %AllUsersProfile%\Application Data\TEMP:5C321E34
[Purity]
[Empty Temp Folders]
[Start Explorer]

It will produce a log. Please post that here and a new HijackThis.

[LL_4]

Here is the log it gave me, my Trend Micro popped up with a warning for OTScanit2, I clicked ignore so it could run. Also there is a catchme.exe that Trend Micro says is a Troj_genaric.DIM Don't know if means anything, but thought I should post that info in case. I hope the did the fix correctly, the OTScanit2, seems to have frozen, I can't close it, but I am able to open open up the file, and I found the new log. I thought I would post this first, and I'll do the HJT scan and log next.

Thanks again so much for your help!


Process Explorer.EXE killed successfully!
[Win32 Services - Safe List]
Service aspimgr stopped successfully!
Service aspimgr deleted successfully!
File not found.
[Registry - Safe List]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3EBBD0F6-1F1F-48A0-89DC-C7505D56E92A}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{0BF43445-2F28-4351-9252-17FE6E806AA0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BF43445-2F28-4351-9252-17FE6E806AA0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E19E589B-749F-4641-9ED3-032DEB7A8D92} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E19E589B-749F-4641-9ED3-032DEB7A8D92}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92780B25-18CC-41C8-B9BE-3C9C571A8263}\ not found.
[Files/Folders - Created Within 30 Days]
C:\7ed887d49149f3903c05a3f70be891\i386 folder moved successfully.
C:\7ed887d49149f3903c05a3f70be891\amd64 folder moved successfully.
C:\7ed887d49149f3903c05a3f70be891 folder moved successfully.
C:\ea407a8023a0cba0af7eff folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\Tools folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetMSP\x86 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetMSP\x64 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetMSP\ia64 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetMSP folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX35\x86 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX35\x64 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX35\ia64 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX35 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX30\x86 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX30\x64 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX30 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework\dotNetFX20 folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu\dotNetFramework folder moved successfully.
C:\b354c87fa820e039d3aea0c9\wcu folder moved successfully.
C:\b354c87fa820e039d3aea0c9 folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\Temp\UPD14D.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD19A.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD202.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD27A.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD35.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD4B.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD52.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD59.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD67.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPD7A.tmp folder deleted successfully.
C:\WINDOWS\Temp\UPDA9.tmp folder deleted successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\setup.exe moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\SSUPDATE.EXE moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\4706527\ywiseext.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\mfc80.dll moved successfully.
C:\WINDOWS\Temp\tismsi\mfc80.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\mfc80u.dll moved successfully.
C:\WINDOWS\Temp\tismsi\mfc80u.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\atl80.dll moved successfully.
C:\WINDOWS\Temp\tismsi\atl80.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\mfcm80.dll moved successfully.
C:\WINDOWS\Temp\tismsi\mfcm80.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\mfcm80u.dll moved successfully.
C:\WINDOWS\Temp\tismsi\mfcm80u.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\msvcr80.dll moved successfully.
C:\WINDOWS\Temp\tismsi\msvcr80.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\msvcp80.dll moved successfully.
C:\WINDOWS\Temp\tismsi\msvcp80.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\msvcm80.dll moved successfully.
C:\WINDOWS\Temp\tismsi\msvcm80.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\libexpat.dll moved successfully.
C:\WINDOWS\Temp\tismsi\libexpat.dll moved successfully.
C:\WINDOWS\Temp\tismsi\GENKEY32.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\TmDbg32.dll moved successfully.
C:\Documents and Settings\Leisenring\Local Settings\Temp\Install_WLMessenger.exe moved successfully.
File C:\WINDOWS\Temp\UPDA9.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPDA9.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPDA9.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD35.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD35.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD35.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD7A.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD7A.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD7A.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD52.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD52.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD52.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD202.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD202.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD202.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD14D.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD14D.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD14D.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD4B.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD4B.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD4B.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD27A.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD27A.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD27A.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD19A.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD19A.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD19A.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD67.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD67.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD67.tmp\updclean.dat not found!
File C:\WINDOWS\Temp\UPD59.tmp\updscan.dat not found!
File C:\WINDOWS\Temp\UPD59.tmp\updnames.dat not found!
File C:\WINDOWS\Temp\UPD59.tmp\updclean.dat not found!
C:\Documents and Settings\Leisenring\Local Settings\Temp\IadHide5.dll moved successfully.
[Alternate Data Streams]
ADS C:\Documents and Settings\Leisenring\Desktop\Thumbs.db:encryptable deleted successfully.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34 deleted successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.8.0 fix logfile created on 02252009_133502

[LL_4]

OK, here is teh HJT log. And I got OTScanit2 to close, I used Ctrl Alt Del, and closed it through there.. I hope that was ok.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:31 PM, on 2/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Leisenring\Desktop\OTScanIt2\OTScanIt2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://m.www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=0061019
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [OTScanIt] "C:\Documents and Settings\Leisenring\Desktop\OTScanIt2\OTScanIt2.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://qtinstall.inf...ex/QTPlugin.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {C8AEB218-8B7A-4E15-AC17-0EE8D99B80EB} - http://cnn-5.vo.llnwd.net/c1/static/cab_he...pWebUpdater.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7546 bytes

[Tigger93]

The catcheme trojan that TrendMicro found is a false positive, nothing to worry about.

You can go ahead and delete c:\_otmoveit or c:\_otscanit if they exist and OTScanIT.

You look clean now. Are you still having any problems?

[LL_4]

Thanks so much! I don't think I'm having any other problems.

I deleted c:\_otscanit, I didn't find the other one. the only other thing is when I went to delete the OTScanit2 file from my desktop, it said it was still waiting comands from me, so it couldn't deleate. I checked and it didn't show that it was running, so I just restarted, and then it deleated fine, but when I did restart I got this message in notepad.

02252009_133502-Notepad

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...

I'm not sure what that means.

Do you know what my problem was, btw? Did I have a keylogger?

Thanks again so much! I'm so glad I downloaded MWbytes, and found this forum.

[Tigger93]

I don't think so. I quick reboot should fix any lasting problems of ridding of OTScanIt.

[LL_4]

Yeah that was it. Everything seems to be working fine now, seems to boot up faster now too.

Thank you so much, I really appreciate it.