Jump to content


Photo
- - - - -

Malwarebytes, Avira and Panda will not start or update


  • This topic is locked This topic is locked
21 replies to this topic

#1 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 20 May 2009 - 11:55 AM

Help!

Malwarebytes hangs up at starting to scan and will not exit without turning off the computer. Won't progress at all - even if left alone for 48 hours. It also will not update.

HijackThis has stalled during installation - the top of the screen says O4 - Registry & Start Menu autoruns...... The blue bar is about 80% across.

Avira will not update or run.

Panda Active Scan will not run. Nor will their Antivirus 2009.

Spybot does update and run - keeps finding Virtumonde - which I delete and restart the computer.

Other programs often do not load or run.

The internet is running very slowly and the toolbar at the bottom of the screen often disappears and the computer must be rebooted to restore.

Please let me know if you need any further information and what I should do.

Thanks a million!!

#2 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 20 May 2009 - 03:17 PM

Okay if MBAM won't run please take a look at the following posts and see if they help or not.

Potential Malware infection issues to review to get MBAM running


If that does not work then please try this.
Small util to randomize the name of MBAM.EXE
randmbam.exe

Post back and let me know how it goes.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#3 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 21 May 2009 - 10:21 AM

I tried all of that.

Nothing worked.

I was not sure about the rootrepeal so the generated log is:

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/20 14:55
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\etilqs_eupI3vzDlTUMWIa4LeG0
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\plugtmp-154\plugin-gameEnd.xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\3YKFJ5WP\=25;S=245;B=1;B=26;B=73;B=100;VS=3;dir=newsnode;dir=news;kw=emailsend;pos=a
d2;sz=728x90;ad=lb;rs=10020;rs=10086;rss=n;poe=no;page=section;tile=2;ord=110695
3
89214264690
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\9FBZX102\activity;src=916414;met=1;v=1;pid=12847824;aid=29252626;ko=0;cid=15533393;r
id=15551289;rv=1;&timestamp=1143422818227;eid1=2;ecn1=1;etm1=6;eid2=1004;ecn2=1;etm2[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\FY0739CH\holiday_Lenox_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenu
mZ1QQfromZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2QQsacatZ92QQsaprchi
Z
QQs[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\I1XI7ID4\F;F=74;G=2;S=25;S=245;B=1;B=26;B=73;B=100;VS=3;dir=stylenode;dir=style;kw=u
sl_446;pos=ad7;sz=446x33;ad=fb;rs=98;rss=n;poe=no;page=section;tile=7;ord=911803
4
94365706500
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\JN6JCYBA\activity;src=1125536;met=1;v=1;pid=12920031;aid=30680943;ko=0;cid=15814753;
rid=15832648;rv=1;&timestamp=1144775938342;eid1=2;ecn1=0;etm1=6;eid2=3;ecn2=1;etm2=2[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\Q7QZM1MV\161.com%2Fdictionary%2Fmockup&color_line=ff0000&kw_type=broad&kw=mock-up&ad_type=text_image&u_h=1024&u_w=1280&u_ah=994&u_aw=1280&u_cd=32&u_tz=-300&u_his=14&u_java=true
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\S103OFOJ\cream-soup_Lenox_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcoitemZ739202068
7QQcopagenumZ1QQfromZR10QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2Q[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YD9YJIXW\cream-soup_Lenox_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcoitemZ739202068
7QQcopagenumZ1QQfrisZ2QQfromZR10QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2QQ[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YD9YJIXW\mansfield_Pottery-Glass_W0QQcatrefZC6QQcoactionZcompareQQcoentrypageZsearchQQcopagenumZ1QQfromZR10
QQfrtsZ50QQfsooZ1QQfsopZ1QQftrtZ1QQftrvZ1QQftsZ2QQsacatZ870QQ[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YD9YJIXW\Type=click&FlightID=8874&AdID=13301&TargetID=1698&Segments=8,100,105,133,277,292,329,532,716,769,899,1037,1509,1576,1645&Targets=1295,1037,1698,678,1280,877,12[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\KLO.IPLS\Local Settings\Temporary Internet Files\Content.IE5\YQRXQMHV\Type=click&FlightID=8952&AdID=13263&TargetID=1254&Segments=5,8,21,100,105,106,164,252,268,329,627,714,898,1039,1360,1402,1404,
1450,1464,1567,1569,1576,1640,166[1].htm
Status: Locked to the Windows API!

Is something in there that I am missing?

Any other ideas??

FYI Malware is hanging up at 3 seconds - when it is enumerating the registry in preparation for the scan. When I initially opened the randomizer file Malware started immediately before I could close any programs and it got to 4 seconds before it went totally blank.

Thanks!

#4 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 21 May 2009 - 10:34 AM

Also, I cannot search My Computer anymore. Just get the flashlight for hours.

#5 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 21 May 2009 - 10:09 PM

Status: MBR Rootkit Detected!

You need to run this and it should fix it. Please use a clean computer to download and burn. Use a friend or work computer if you have to.

Avira AntiVir Rescue System

Requires access to a working computer with a CD/DVD burner to create a bootable CD.

  • Download the Avira AntiVir Rescue System from here
  • Place a blank CD in your burner and double-click on the downloaded file named rescuecd.exe
  • The program will automatically burn the CD for you.
  • Place the burned CD into the affected computer and start the computer from this CD.
  • On the bottom left side of the screen there are 2 flags. Using your mouse click on the British flag to use English.
  • Click on the Configuration button.
    • Select Scan all files
    • Select Try to repair infected files and Rename files, if they cannot be removed
    • Select Scan for dialers
    • Select Scan for joke programs (Jokes)
    • Select Scan for games
    • Select Scan for spyware (SPR)
  • Click on Virus scanner
  • Click on Start scanner at the bottom of the screen
  • Currently the program does not support saving a log. Write down the amount of items for Records, Suspect files, and Warnings
The Avira AntiVir Rescue System is a Linux-based application that allows accessing computers that cannot be booted anymore and is updated several times a day so that the most recent security updates are always available.

Possible solutions to Screen Resolution and other issues
  • Please see the post here if you're unable to view the entire screen of Avira.
  • You can also review this one Fixed Rescue CD Resolution Probs with Dell Video
  • Currently only the German keyboard is supported. Command Line not working English keyboards require work arounds.
  • Some computers attempt to mount the floppy even though they don't have one. You may need to go in to the BIOS and disable the floppy drive in order to mount your hard drive for scanning.


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#6 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 22 May 2009 - 02:06 PM

Thanks.

I am wondering if I should still do this in view of recent events on the computer.

I ended up with a screen saying

The system has recovered from a serious error.
ERROR Signature
BCCode:100000dl BCP1:000000000 BCP2:00000002 BCP3:00000000 BCP4:00000000
OSVer:5_1_2600 SO:2_0 Product:256_1

It indicated either a driver issue or a software problem. I checked the drivers with the Dell Driver Reset Tool. The other option they gave was to restore it to a set point. I reset it to the one before the problems began.

Then I rebooted and got the blue screen with IRQL_NOT_LESS_OR_EQUAL with a bunch of codes.

I then rebooted several times and used Spyboot to remove Vundo. I then tried the Avira AntiVir without updates. It scanned and found

Avira AntiVir Personal
Report file date: Thursday, May 21, 2009 17:36

Scanning for 1413622 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: KO1

Version information:
BUILD.DAT : 8.2.0.348 16934 Bytes 3/23/2009 13:44:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 16:29:38
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 00:32:40
ANTIVIR2.VDF : 7.1.4.0 2336768 Bytes 5/20/2009 20:43:06
ANTIVIR3.VDF : 7.1.4.3 17920 Bytes 5/21/2009 20:43:07
Engineversion : 8.2.0.168
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/21/2009 20:43:30
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/21/2009 20:43:28
AESCN.DLL : 8.1.2.3 127347 Bytes 5/21/2009 20:43:26
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.16 397686 Bytes 5/21/2009 20:43:15
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/26/2009 23:48:23
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/21/2009 20:43:13
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/26/2009 23:48:20
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/21/2009 20:43:11
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.6.9 176500 Bytes 5/21/2009 20:43:09
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.3 155688 Bytes 5/21/2009 20:43:08
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, May 21, 2009 17:36

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '0' Module(s) have been scanned
Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned
Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned
Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned
Scan process 'HelpCtr.exe' - '1' Module(s) have been scanned
Scan process 'USB_ImationFlashDetect.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'ccRegVfy.exe' - '1' Module(s) have been scanned
Scan process 'ccApp.exe' - '1' Module(s) have been scanned
Scan process 'smax4pnp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avwsc.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'ccEvtMgr.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1244\A0155420.dll
[DETECTION] Is the TR/Agent.bxhx Trojan
[NOTE] The file was deleted!
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1244\A0155421.exe
[DETECTION] Is the TR/Dldr.Agent.bxhx Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.core.dll
[DETECTION] Is the TR/Agent.bxhx Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.exe
[DETECTION] Is the TR/Dldr.Agent.bxhx Trojan
[NOTE] TR/Dldr.Agent.bxhx:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cc9b6bee]
[NOTE] TR/Dldr.Agent.bxhx:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_cc9b6bee]
[NOTE] The file was deleted!


End of the scan: Thursday, May 21, 2009 19:29
Used time: 1:52:46 Hour(s)

The scan has been done completely.

18174 Scanning directories
833763 Files were scanned
4 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
4 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
833757 Files not concerned
14672 Archives were scanned
2 Warnings
4 Notes

After this it was able to update and the scan was run again with no detections.

After rebooting, Malwarebytes worked for scanning. It found

Malwarebytes' Anti-Malware 1.35
Database version: 1923
Windows 5.1.2600 Service Pack 2

5/21/2009 8:33:03 PM
mbam-log-2009-05-21 (20-33-03).txt

Scan type: Quick Scan
Objects scanned: 86418
Time elapsed: 9 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

After rebooting, Malwarebytes was updated and the scan rerun with one infection found and taken care of. The log is

Malwarebytes' Anti-Malware 1.36
Database version: 2164
Windows 5.1.2600 Service Pack 2

5/21/2009 8:43:03 PM
mbam-log-2009-05-21 (20-43-03).txt

Scan type: Quick Scan
Objects scanned: 100386
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lunegogu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

I have since updated and rerun all of the scans. No more detections or infections. The computer is working great.

If you think I should still go through the other process, please let me know.

I assume that this was due to a software program that my 8 year old installed without permission to even use the computer. The restore deleted the installed program.

Thanks again!!!

#7 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 22 May 2009 - 07:01 PM

Looks pretty good. I'd suggest the following be run.

You may have corrupted files on your disk. Please try running the following.
First close ALL Applications as this routine will automatically restart your computer.
Click on START - RUN and copy / paste the following entry into the box and click OK
CMD /C ECHO Y|CHKDSK C: /F | SHUTDOWN /R /T 30



Then run the following which will help us to see what might still be on the box.

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#8 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 26 May 2009 - 01:00 AM

Please post a status update on this.

Thanks.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#9 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 27 May 2009 - 03:02 AM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#10 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 27 May 2009 - 05:43 PM

Reopened at users request.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#11 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 27 May 2009 - 09:22 PM

Thanks!!

I followed your instructions.

The DDS.txt is:


DDS (Ver_09-05-14.01) - NTFSx86
Run by klo at 17:04:20.81 on Wed 05/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.656 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PCT-SAFE\Firebird\Bin\fbguard.exe
C:\PCT-SAFE\Firebird\Bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
C:\Documents and Settings\KLO.IPLS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ixquick.com/eng/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {68222a89-715b-48df-80ba-f103481aaca5} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {9e166ea2-cab4-49e1-9f57-3054bbc2e9ed} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [Aim6]
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Regscan] c:\windows\system32\regscan.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy - 1-62\TeaTimer.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [DXDllRegExe] c:\windows\system32\dxdllreg.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
StartupFolder: c:\docume~1\klo~1.ipl\startm~1\programs\startup\imatio~1.lnk - c:\documents and settings\klo.ipls\local settings\temp\imation\USB_ImationFlashDetect.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: fedex.com\www
Trusted Zone: saas-elearn.org
Trusted Zone: theiplawgroup.com\mail
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128752109638
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: awtqo - c:\windows\system32\awtqo.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: wwbkqg.dll neyvcx.dll zvvqos.dll c:\windows\system32\nakukaji.dll c:\windows\system32\nogezote.dll c:\windows\system32\gefuvura.dll c:\windows\system32\nowelafo.dll c:\windows\system32\rijikoyi.dll c:\windows\system32\dudipore.dll c:\windows\system32\tenihisu.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli c:\windows\system32\tenihisu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\klo~1.ipl\applic~1\mozilla\firefox\profiles\ufvj2z9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-2-3 28544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-26 11840]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-26 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-26 151297]
R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\firebird\bin\fbguard.exe -s --> c:\pct-safe\firebird\bin\fbguard.exe -s [?]
R2 FireBirdServer;FireBird Database Server;c:\pct-safe\firebird\bin\fbserver.exe -s -g --> c:\pct-safe\firebird\bin\fbserver.exe -s -g [?]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [2008-3-16 4224]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-26 52032]
S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]
S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-10-2 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-10-2 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2008-10-2 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2008-10-2 10368]
S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2005-9-23 116078]

=============== Created Last 30 ================

2009-05-23 08:23 <DIR> --d----- c:\windows\system32\KB905474
2009-05-21 16:25 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-21 16:25 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-05-21 16:25 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-21 16:25 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-21 16:25 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-21 16:25 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-21 16:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-20 10:45 <DIR> --d----- c:\program files\common files\Panda Security
2009-05-16 21:04 388,608 a------- c:\windows\system32\cmd.execf
2009-05-16 21:04 <DIR> --d----- C:\32788R22FWJFW(2)
2009-05-16 21:04 <DIR> --d----- C:\Combo-fix.exe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 01:41 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-29 01:41 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 19:52 1,495,552 a------- c:\windows\system32\dllcache\shdocvw.dll
2008-07-09 13:35 3,902,784 a------- c:\documents and settings\klo.ipls\gosetup.exe
2006-11-14 21:23 56,912 a------- c:\documents and settings\klo.ipls\g2mdlhlpx.exe
2005-07-13 00:35 151,040 a------- c:\program files\common files\MSVCRT.MSM
2004-12-13 21:17 1,001,472 a------- c:\program files\common files\VFP9RptApps.msm
2004-12-13 21:17 4,595,712 a------- c:\program files\common files\Vfp9Runtime.msm
2009-02-03 04:13 134,379 a--sh--- c:\windows\system32\ehjcrz.dll
0000-00-00 00:00 2,048 a--sh--- c:\windows\system32\fevahiva.dll
2009-01-26 12:13 140,955 a--sh--- c:\windows\system32\jlpsoq.dll
2009-01-26 12:13 140,955 a--sh--- c:\windows\system32\kenayiba.dll
2009-02-02 04:13 135,464 a--sh--- c:\windows\system32\litijihi.dll
2009-01-31 04:12 135,263 a--sh--- c:\windows\system32\mrfohd.dll
2009-01-31 16:12 135,284 a--sh--- c:\windows\system32\mupdvm.dll
2009-02-03 04:13 134,379 a--sh--- c:\windows\system32\nafazoye.dll
2009-02-01 04:13 135,333 a--sh--- c:\windows\system32\nwlics.dll
2005-10-07 16:21 336,972 a--sh--- c:\windows\system32\oqtwa.bak1
2005-10-11 09:39 338,715 a--sh--- c:\windows\system32\oqtwa.bak2
2009-02-02 04:13 135,464 a--sh--- c:\windows\system32\pivtrt.dll
2009-01-30 16:12 2,098 ---sh--- c:\windows\system32\rurobahe.exe
2009-02-02 16:13 133,822 a--sh--- c:\windows\system32\susisawo.dll
2009-02-01 04:13 135,333 a--sh--- c:\windows\system32\togehupe.dll
2009-02-02 16:13 133,822 a--sh--- c:\windows\system32\wbzrnu.dll
2009-02-01 16:13 135,301 a--sh--- c:\windows\system32\wilawape.dll

============= FINISH: 17:05:42.82 ===============


The Attach.txt is:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/8/2005 8:52:18 AM
System Uptime: 5/27/2009 4:56:53 PM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0TC666
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 2.934 GiB free.
D: is CDROM ()
K: is NetworkDisk (*NT5CSC) - 34 GiB total, 2.934 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1220: 2/27/2009 4:04:52 AM - System Checkpoint
RP1221: 2/28/2009 4:33:53 AM - System Checkpoint
RP1222: 3/1/2009 5:33:53 AM - System Checkpoint
RP1223: 3/2/2009 11:26:21 AM - System Checkpoint
RP1224: 3/3/2009 11:46:10 AM - System Checkpoint
RP1225: 3/6/2009 10:49:25 AM - System Checkpoint
RP1226: 3/8/2009 8:52:56 AM - System Checkpoint
RP1227: 3/15/2009 11:42:40 AM - System Checkpoint
RP1228: 3/16/2009 12:25:19 PM - System Checkpoint
RP1229: 3/17/2009 2:12:43 PM - System Checkpoint
RP1230: 3/19/2009 3:53:44 PM - System Checkpoint
RP1231: 3/23/2009 7:41:09 AM - System Checkpoint
RP1232: 3/24/2009 8:16:46 AM - System Checkpoint
RP1233: 3/25/2009 10:31:16 PM - System Checkpoint
RP1234: 3/27/2009 6:50:03 AM - System Checkpoint
RP1235: 3/28/2009 7:20:49 AM - System Checkpoint
RP1236: 3/30/2009 12:22:07 PM - System Checkpoint
RP1237: 3/31/2009 12:22:38 PM - System Checkpoint
RP1238: 2/28/2009 3:25:15 PM - System Checkpoint
RP1239: 2/28/2009 6:45:38 PM - Software Distribution Service 3.0
RP1240: 3/1/2009 3:00:51 AM - Software Distribution Service 3.0
RP1241: 4/1/2009 3:55:56 PM - Software Distribution Service 3.0
RP1242: 4/2/2009 11:49:32 PM - System Checkpoint
RP1243: 4/4/2009 12:47:49 AM - System Checkpoint
RP1244: 4/5/2009 1:08:03 AM - System Checkpoint
RP1245: 5/21/2009 4:32:40 PM - Restore Operation
RP1246: 5/21/2009 4:43:56 PM - Software Distribution Service 3.0
RP1247: 5/22/2009 8:58:54 PM - Removed Norton AntiVirus 2003
RP1248: 5/23/2009 6:59:14 AM - Software Distribution Service 3.0
RP1249: 5/24/2009 7:56:15 AM - System Checkpoint
RP1250: 5/25/2009 8:56:13 AM - System Checkpoint
RP1251: 5/26/2009 5:58:56 AM - Restore Operation
RP1252: 5/27/2009 1:12:41 AM - System Checkpoint

==== Installed Programs ======================

5500
5500_Help
5500Tour
5500Trb
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
AIM 6.0
AiO_Scan
AiOSoftware
Amicus Accounting
Amicus Administrator
Amicus Attorney
Ancient Trijong and Maui Wowee
AOL Instant Messenger
ArcSoft Camera Suite
Avira AntiVir Personal - Free Antivirus
BufferChm
CCScore
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CutePDF Writer 2.7
Dell Driver Reset Tool
Dell System Restore
Destinations
Director
DocProc
DocumentViewer
DVD Decrypter (Remove Only)
eFax Messenger 4.3
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
FairCom Crystal Driver
Fax
GdiplusUpgrade
GE UltraCam
HLPIndex
HLPRFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
hpmdtab
HPODiscovery
HPSystemDiagnostics
HyperCam 2
InstantShare
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
interneTIFF 7.0-Professional (IE Browser)
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Kodak EasyShare software
KSU
LG USB Drivers
LG USB Modem Drivers
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (1.5.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Norton WMI Update
Notifier
OTtBPSDK
overland
Panda ActiveScan 2.0
PCDADDIN
PCDHELP
PCT-SAFE Editor 1.0
PCT-SAFE Editor 1.98
PCT-SAFE Editor Conversion Components
PCT-SAFE Online Filing
PhotoGallery
PrintScreen
ProductContext
QFolder
Qualxserve Service Agreement
QuickBooks Pro 2005
QuickProjects
QuickTime
Readme
RealPlayer
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SFR
SHASTA
SKIN0001
SkinsHP1
SkinsHP2
SKINXSDK
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
TrayApp
Unity Web Player
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VistaPrint Electronic Business Card
VPRINTOL
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip
WIRELESS
WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

5/23/2009 8:23:21 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft PowerPoint 2003 (KB957784).
5/22/2009 6:18:19 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
5/21/2009 8:46:16 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
5/21/2009 4:19:00 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pavboot
5/21/2009 4:19:00 PM, error: Service Control Manager [7000] - The Windows Management Licence Service service failed to start due to the following error: The system cannot find the file specified.
5/21/2009 4:18:47 PM, error: System Error [1003] - Error code 100000d1, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 00000000.
5/21/2009 3:08:05 PM, error: NETLOGON [5719] - No Domain Controller is available for domain IPLS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.

==== End Of File ===========================


Do you see anything amiss or was the problem fixed with the system restore?

Thank you for all you help in this matter!! It is greatly appreciated!!

#12 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 28 May 2009 - 02:22 AM

Yes it shows you're still infected. Please run the following. Will check back on you some time tomorrow.


Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#13 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 28 May 2009 - 03:10 PM

Thank you so much.

I followed the instructions.

The ComboFix.txt is:


ComboFix 09-05-26.05 - klo 05/28/2009 14:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.664 [GMT -4:00]
Running from: c:\documents and settings\KLO.IPLS\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\abivereg.ini
c:\windows\system32\afehagor.ini
c:\windows\system32\agorenuf.ini
c:\windows\system32\aguguwip.ini
c:\windows\system32\ahobiyoz.ini
c:\windows\system32\amiwutew.ini
c:\windows\system32\bszip.dll
c:\windows\system32\egimanub.ini
c:\windows\system32\ehiledik.ini
c:\windows\system32\ehjcrz.dll
c:\windows\system32\ehuginiz.ini
c:\windows\system32\ehulowod.ini
c:\windows\system32\enekuhen.ini
c:\windows\system32\eperenud.ini
c:\windows\system32\eregozop.ini
c:\windows\system32\etokiwer.ini
c:\windows\system32\ewenomaw.ini
c:\windows\system32\eyahavil.ini
c:\windows\system32\fevahiva.dll
c:\windows\system32\idewatup.ini
c:\windows\system32\ihihepuv.ini
c:\windows\system32\ijarelej.ini
c:\windows\system32\ikosanor.ini
c:\windows\system32\itiwokar.ini
c:\windows\system32\itubuzeh.ini
c:\windows\system32\jgamxv.dll
c:\windows\system32\jlpsoq.dll
c:\windows\system32\kenayiba.dll
c:\windows\system32\litijihi.dll
c:\windows\system32\mrfohd.dll
c:\windows\system32\mupdvm.dll
c:\windows\system32\nafazoye.dll
c:\windows\system32\nwlics.dll
c:\windows\system32\odojivoh.ini
c:\windows\system32\okelefeb.ini
c:\windows\system32\okijilev.ini
c:\windows\system32\open.ico
c:\windows\system32\oqtwa.bak1
c:\windows\system32\oqtwa.bak2
c:\windows\system32\oqtwa.ini
c:\windows\system32\ovojabet.ini
c:\windows\system32\pivtrt.dll
c:\windows\system32\susisawo.dll
c:\windows\system32\togehupe.dll
c:\windows\system32\utofopor.ini
c:\windows\system32\wbzrnu.dll
c:\windows\system32\wilawape.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PASSWORD


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-28 )))))))))))))))))))))))))))))))
.

2009-05-23 12:23 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-23 12:23 . 2009-05-26 05:05 -------- d-----w c:\windows\system32\KB905474
2009-05-23 12:23 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-21 20:25 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-21 20:25 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-05-21 20:25 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-05-21 20:25 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-21 20:25 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-21 20:25 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-21 20:24 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-20 14:45 . 2009-05-20 14:45 -------- d-----w c:\program files\Common Files\Panda Security
2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\32788R22FWJFW(2)
2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\Combo-fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 22:08 . 2009-01-26 15:25 75096 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-26 05:06 . 2005-07-01 13:42 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-26 05:05 . 2005-07-01 13:43 -------- d-----w c:\program files\Symantec
2009-05-23 00:59 . 2005-07-01 13:42 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-22 00:33 . 2009-02-03 19:01 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-22 00:33 . 2009-03-29 01:20 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-21 20:35 . 2009-02-28 20:55 -------- d-----w c:\program files\Spybot - Search & Destroy - 1-62
2009-05-09 18:03 . 2008-01-20 19:27 -------- d-----w c:\program files\Pony Luv
2009-04-21 01:15 . 2005-07-01 13:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 19:32 . 2009-02-03 19:01 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-03 19:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 12:51 . 2006-10-11 14:38 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-05 00:09 . 2009-04-05 00:09 373114 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescript.dll
2009-04-05 00:09 . 2009-04-05 00:09 397687 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aepack.dll
2009-04-05 00:09 . 2009-04-05 00:09 127348 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescn.dll
2009-04-05 00:09 . 2009-04-05 00:09 1700214 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aeheur.dll
2009-04-05 00:09 . 2009-04-05 00:09 340340 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aegen.dll
2009-04-05 00:09 . 2009-04-05 00:09 176502 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aecore.dll
2009-03-29 05:41 . 2006-07-11 22:35 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-29 05:41 . 2003-03-19 01:14 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-06 14:44 . 2004-08-11 22:00 283648 ----a-w c:\windows\system32\pdh.dll
2005-07-13 04:35 . 2005-07-13 04:35 151040 ----a-w c:\program files\Common Files\MSVCRT.MSM
2004-12-14 01:17 . 2004-12-14 01:17 1001472 ----a-w c:\program files\Common Files\VFP9RptApps.msm
2004-12-14 01:17 . 2004-12-14 01:17 4595712 ----a-w c:\program files\Common Files\Vfp9Runtime.msm
2009-01-30 20:12 . 2009-01-30 20:12 2098 --sh--w c:\windows\system32\rurobahe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl
"Aim6"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\system32\\WISPTIS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"18499:TCP"= 18499:TCP:PORT_18499
"51066:TCP"= 51066:TCP:PORT_51066
"34892:TCP"= 34892:TCP:PORT_34892
"14363:TCP"= 14363:TCP:PORT_14363
"35711:TCP"= 35711:TCP:PORT_35711

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/3/2009 9:39 AM 28544]
R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\Firebird\Bin\fbguard.exe -s --> c:\pct-safe\Firebird\Bin\fbguard.exe -s [?]
R2 FireBirdServer;FireBird Database Server;c:\pct-safe\Firebird\Bin\fbserver.exe -s -g --> c:\pct-safe\Firebird\Bin\fbserver.exe -s -g [?]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [3/16/2008 9:27 PM 4224]
S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]
S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [10/2/2008 10:06 AM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [10/2/2008 10:06 AM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [10/2/2008 10:06 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [10/2/2008 10:05 AM 10368]
S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [9/23/2005 5:40 PM 116078]
.
Contents of the 'Scheduled Tasks' folder

2009-05-28 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-23 02:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{68222a89-715b-48df-80ba-f103481aaca5} - (no file)
BHO-{9e166ea2-cab4-49e1-9f57-3054bbc2e9ed} - (no file)
HKLM-Run-DXDllRegExe - c:\windows\system32\dxdllreg.exe
Notify-awtqo - c:\windows\system32\awtqo.dll
Notify-WgaLogon - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ixquick.com/eng/
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fedex.com\www
Trusted Zone: saas-elearn.org
Trusted Zone: theiplawgroup.com\mail
TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
FF - ProfilePath - c:\documents and settings\KLO.IPLS\Application Data\Mozilla\Firefox\Profiles\ufvj2z9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-28 14:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2124)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\pct-safe\Firebird\bin\fbguard.exe
c:\pct-safe\Firebird\bin\fbserver.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2009-05-28 14:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-28 18:45

Pre-Run: 3,437,404,160 bytes free
Post-Run: 3,480,809,472 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

236 --- E O F --- 2009-05-23 12:24


The new HJT log is:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:09:13 PM, on 5/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PCT-SAFE\Firebird\Bin\fbguard.exe
C:\PCT-SAFE\Firebird\Bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/eng/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.saas-elearn.org
O15 - Trusted Zone: mail.theiplawgroup.com
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave...eb.1.0.0.21.cab
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave...eb.1.0.0.12.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave...Web.1.0.0.9.cab
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180...ZWDLManager.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.black...M-PwpClient.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128752109638
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave...esPlayer_v5.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Microsoft DDE+ server (cc9b6bee) - Unknown owner - C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.exe (file missing)
O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe
O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)

--
End of file - 8654 bytes

#14 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 29 May 2009 - 10:45 PM

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::

AtJob::

Driver::
cc9b6bee
WMSLService

File::
c:\windows\system32\.cc9b6bee\cc9b6bee.exe
c:\windows\inf\svchost.exe

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log and a new Hijackthis log.

STEP 03

Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop
  • Please include the following logs in your next reply: DDS.txt and Attach.txt


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#15 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 30 May 2009 - 09:49 AM

Thanks.

I followed your instructions and the requested logs are:

Combofix Log


ComboFix 09-05-29.01 - klo 05/30/2009 9:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.748 [GMT -4:00]
Running from: c:\documents and settings\KLO.IPLS\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-28 20:19 . 2008-06-19 21:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-05-28 20:07 . 2009-05-28 20:07 -------- d-----w c:\program files\Trend Micro
2009-05-23 12:23 . 2009-03-11 02:18 453512 ----a-w c:\windows\system32\KB905474\wgasetup.exe
2009-05-23 12:23 . 2009-05-26 05:05 -------- d-----w c:\windows\system32\KB905474
2009-05-23 12:23 . 2009-03-11 02:26 1403264 ----a-w c:\windows\system32\KB905474\wganotifypackageinner.exe
2009-05-21 20:25 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-21 20:25 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-05-21 20:25 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-05-21 20:25 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-21 20:25 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-05-21 20:25 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-21 20:24 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-20 14:45 . 2009-05-20 14:45 -------- d-----w c:\program files\Common Files\Panda Security
2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\32788R22FWJFW(2)
2009-05-17 01:04 . 2009-05-21 20:33 -------- d-----w C:\Combo-fix.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-27 22:08 . 2009-01-26 15:25 75096 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-26 05:06 . 2005-07-01 13:42 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-26 05:05 . 2005-07-01 13:43 -------- d-----w c:\program files\Symantec
2009-05-23 00:59 . 2005-07-01 13:42 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-22 00:33 . 2009-02-03 19:01 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-22 00:33 . 2009-03-29 01:20 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-21 20:35 . 2009-02-28 20:55 -------- d-----w c:\program files\Spybot - Search & Destroy - 1-62
2009-05-09 18:03 . 2008-01-20 19:27 -------- d-----w c:\program files\Pony Luv
2009-04-21 01:15 . 2005-07-01 13:36 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-06 19:32 . 2009-02-03 19:01 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2009-02-03 19:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-06 12:51 . 2006-10-11 14:38 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-05 00:09 . 2009-04-05 00:09 373114 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescript.dll
2009-04-05 00:09 . 2009-04-05 00:09 397687 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aepack.dll
2009-04-05 00:09 . 2009-04-05 00:09 127348 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aescn.dll
2009-04-05 00:09 . 2009-04-05 00:09 1700214 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aeheur.dll
2009-04-05 00:09 . 2009-04-05 00:09 340340 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aegen.dll
2009-04-05 00:09 . 2009-04-05 00:09 176502 ----a-w c:\documents and settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVUPDATE_49d7f697\ave2\aecore.dll
2009-03-29 05:41 . 2006-07-11 22:35 348160 ----a-w c:\windows\system32\msvcr71.dll
2009-03-29 05:41 . 2003-03-19 01:14 499712 ----a-w c:\windows\system32\msvcp71.dll
2009-03-06 14:44 . 2004-08-11 22:00 283648 ----a-w c:\windows\system32\pdh.dll
2005-07-13 04:35 . 2005-07-13 04:35 151040 ----a-w c:\program files\Common Files\MSVCRT.MSM
2004-12-14 01:17 . 2004-12-14 01:17 1001472 ----a-w c:\program files\Common Files\VFP9RptApps.msm
2004-12-14 01:17 . 2004-12-14 01:17 4595712 ----a-w c:\program files\Common Files\Vfp9Runtime.msm
2009-01-30 20:12 . 2009-01-30 20:12 2098 --sh--w c:\windows\system32\rurobahe.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-29 198160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]
@="Service"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AIM"=c:\program files\AIM\aim.exe -cnetwait.odl
"Aim6"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\igfxpers.exe"=
"c:\\WINDOWS\\system32\\WISPTIS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"18499:TCP"= 18499:TCP:PORT_18499
"51066:TCP"= 51066:TCP:PORT_51066
"34892:TCP"= 34892:TCP:PORT_34892
"14363:TCP"= 14363:TCP:PORT_14363
"35711:TCP"= 35711:TCP:PORT_35711

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/28/2009 4:19 PM 28544]
R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\Firebird\Bin\fbguard.exe -s --> c:\pct-safe\Firebird\Bin\fbguard.exe -s [?]
R2 FireBirdServer;FireBird Database Server;c:\pct-safe\Firebird\Bin\fbserver.exe -s -g --> c:\pct-safe\Firebird\Bin\fbserver.exe -s -g [?]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [3/16/2008 9:27 PM 4224]
S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]
S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [10/2/2008 10:06 AM 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [10/2/2008 10:06 AM 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [10/2/2008 10:06 AM 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [10/2/2008 10:05 AM 10368]
S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [9/23/2005 5:40 PM 116078]
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-10-11 20:31]

2009-05-29 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-23 02:18]
.
- - - - ORPHANS REMOVED - - - -

BHO-{68222a89-715b-48df-80ba-f103481aaca5} - (no file)
BHO-{9e166ea2-cab4-49e1-9f57-3054bbc2e9ed} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://ixquick.com/eng/
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: fedex.com\www
Trusted Zone: saas-elearn.org
Trusted Zone: theiplawgroup.com\mail
TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
FF - ProfilePath - c:\documents and settings\KLO.IPLS\Application Data\Mozilla\Firefox\Profiles\ufvj2z9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 09:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4688)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-30 9:45
ComboFix-quarantined-files.txt 2009-05-30 13:43
ComboFix2.txt 2009-05-28 18:47

Pre-Run: 3,528,196,096 bytes free
Post-Run: 3,494,199,296 bytes free

167 --- E O F --- 2009-05-23 12:24


MBAM Log:

Malwarebytes' Anti-Malware 1.37
Database version: 2196
Windows 5.1.2600 Service Pack 2

5/30/2009 9:57:40 AM
mbam-log-2009-05-30 (09-57-40).txt

Scan type: Quick Scan
Objects scanned: 98323
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:11 AM, on 5/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\PCT-SAFE\Firebird\Bin\fbguard.exe
C:\PCT-SAFE\Firebird\Bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/eng/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.saas-elearn.org
O15 - Trusted Zone: mail.theiplawgroup.com
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave...eb.1.0.0.21.cab
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave...eb.1.0.0.12.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave...Web.1.0.0.9.cab
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180...ZWDLManager.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.black...M-PwpClient.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128752109638
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave...esPlayer_v5.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O20 - Winlogon Notify: awtqo - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Microsoft DDE+ server (cc9b6bee) - Unknown owner - C:\WINDOWS\system32\.cc9b6bee\cc9b6bee.exe (file missing)
O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe
O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Management Licence Service (WMSLService) - Unknown owner - C:\WINDOWS\inf\svchost.exe (file missing)

--
End of file - 8752 bytes


DDS Log


DDS (Ver_09-05-14.01) - NTFSx86
Run by klo at 10:00:32.73 on Sat 05/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.698 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\PCT-SAFE\Firebird\Bin\fbguard.exe
C:\PCT-SAFE\Firebird\Bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\mobsync.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\KLO.IPLS\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://ixquick.com/eng/
mStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {BDF3E430-B101-42AD-A544-FADC6B084872} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\klo~1.ipl\startm~1\programs\startup\imatio~1.lnk - c:\documents and settings\klo.ipls\local settings\temp\imation\USB_ImationFlashDetect.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: fedex.com\www
Trusted Zone: saas-elearn.org
Trusted Zone: theiplawgroup.com\mail
DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} - hxxp://www.shockwave.com/content/fashiondash/sis/fashiondashweb.1.0.0.21.cab
DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} - hxxp://www.shockwave.com/content/dairydash/sis/DairyDashWeb.1.0.0.12.cab
DPF: {106E49CF-797A-11D2-81A2-00E02C015623} - hxxp://www.alternatiff.com/install/00/alttiff.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab
DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} - hxxp://63.251.81.180/component/VZWDLManager.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - hxxps://bis.na.blackberry.com/html/web/client_tools/RIM-PwpClient.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxp://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} - hxxp://www.shockwave.com/content/doggiedash/sis/DoggieDash.1.0.0.6.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128752109638
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
TCP: {ED39E28C-66FE-4B6F-A17A-E54DA18EAECB} = 10.0.1.2,209.183.205.35
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\klo~1.ipl\applic~1\mozilla\firefox\profiles\ufvj2z9r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ixquick.com/
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-28 28544]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-26 11608]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-26 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-26 151297]
R2 FireBirdGuardian;FireBird Guardian Server;c:\pct-safe\firebird\bin\fbguard.exe -s --> c:\pct-safe\firebird\bin\fbguard.exe -s [?]
R2 FireBirdServer;FireBird Database Server;c:\pct-safe\firebird\bin\fbserver.exe -s -g --> c:\pct-safe\firebird\bin\fbserver.exe -s -g [?]
R2 U3SDR200;U3SDR200;c:\windows\system32\drivers\U3SDR200.SYS [2008-3-16 4224]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-26 52056]
S2 cc9b6bee;Microsoft DDE+ server;c:\windows\system32\.cc9b6bee\cc9b6bee.exe --> c:\windows\system32\.cc9b6bee\cc9b6bee.exe [?]
S2 WMSLService;Windows Management Licence Service;c:\windows\inf\svchost.exe --> c:\windows\inf\svchost.exe [?]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2008-10-2 2944]
S3 BrSerWDM;Brother Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2008-10-2 60416]
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [2008-10-2 11008]
S3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [2008-10-2 10368]
S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\system32\drivers\mr97310v.sys [2005-9-23 116078]

=============== Created Last 30 ================

2009-05-30 09:34 <DIR> --ds---- C:\ComboFix
2009-05-28 16:19 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-05-28 16:07 <DIR> --d----- c:\program files\Trend Micro
2009-05-28 14:26 <DIR> a-dshr-- C:\cmdcons
2009-05-28 14:23 161,792 a------- c:\windows\SWREG.exe
2009-05-28 14:23 154,624 a------- c:\windows\PEV.exe
2009-05-28 14:23 98,816 a------- c:\windows\sed.exe
2009-05-23 08:23 <DIR> --d----- c:\windows\system32\KB905474
2009-05-21 16:25 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-21 16:25 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-05-21 16:25 35,328 -------- c:\windows\system32\dllcache\sc.exe
2009-05-21 16:25 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-21 16:25 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-21 16:25 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-21 16:24 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-20 10:45 <DIR> --d----- c:\program files\common files\Panda Security
2009-05-16 21:04 <DIR> --d----- C:\32788R22FWJFW(2)
2009-05-16 21:04 <DIR> --d----- C:\Combo-fix.exe

==================== Find3M ====================

2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-03-29 01:41 499,712 a------- c:\windows\system32\msvcp71.dll
2009-03-29 01:41 348,160 a------- c:\windows\system32\msvcr71.dll
2009-03-21 10:18 986,112 a------- c:\windows\system32\dllcache\kernel32.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 19:52 1,495,552 a------- c:\windows\system32\dllcache\shdocvw.dll
2008-07-09 13:35 3,902,784 a------- c:\documents and settings\klo.ipls\gosetup.exe
2006-11-14 21:23 56,912 a------- c:\documents and settings\klo.ipls\g2mdlhlpx.exe
2005-07-13 00:35 151,040 a------- c:\program files\common files\MSVCRT.MSM
2004-12-13 21:17 1,001,472 a------- c:\program files\common files\VFP9RptApps.msm
2004-12-13 21:17 4,595,712 a------- c:\program files\common files\Vfp9Runtime.msm
2009-01-30 16:12 2,098 ---sh--- c:\windows\system32\rurobahe.exe

============= FINISH: 10:01:23.23 ===============


Attach


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/8/2005 8:52:18 AM
System Uptime: 5/30/2009 9:47:21 AM (1 hours ago)

Motherboard: Dell Computer Corp. | | 0TC666
Processor: Intel® Pentium® 4 CPU 2.80GHz | Microprocessor | 2792/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 3.279 GiB free.
D: is CDROM ()
K: is NetworkDisk (*NT5CSC) - 34 GiB total, 3.279 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1223: 3/2/2009 11:26:21 AM - System Checkpoint
RP1224: 3/3/2009 11:46:10 AM - System Checkpoint
RP1225: 3/6/2009 10:49:25 AM - System Checkpoint
RP1226: 3/8/2009 8:52:56 AM - System Checkpoint
RP1227: 3/15/2009 11:42:40 AM - System Checkpoint
RP1228: 3/16/2009 12:25:19 PM - System Checkpoint
RP1229: 3/17/2009 2:12:43 PM - System Checkpoint
RP1230: 3/19/2009 3:53:44 PM - System Checkpoint
RP1231: 3/23/2009 7:41:09 AM - System Checkpoint
RP1232: 3/24/2009 8:16:46 AM - System Checkpoint
RP1233: 3/25/2009 10:31:16 PM - System Checkpoint
RP1234: 3/27/2009 6:50:03 AM - System Checkpoint
RP1235: 3/28/2009 7:20:49 AM - System Checkpoint
RP1236: 3/30/2009 12:22:07 PM - System Checkpoint
RP1237: 3/31/2009 12:22:38 PM - System Checkpoint
RP1238: 2/28/2009 3:25:15 PM - System Checkpoint
RP1239: 2/28/2009 6:45:38 PM - Software Distribution Service 3.0
RP1240: 3/1/2009 3:00:51 AM - Software Distribution Service 3.0
RP1241: 4/1/2009 3:55:56 PM - Software Distribution Service 3.0
RP1242: 4/2/2009 11:49:32 PM - System Checkpoint
RP1243: 4/4/2009 12:47:49 AM - System Checkpoint
RP1244: 4/5/2009 1:08:03 AM - System Checkpoint
RP1245: 5/21/2009 4:32:40 PM - Restore Operation
RP1246: 5/21/2009 4:43:56 PM - Software Distribution Service 3.0
RP1247: 5/22/2009 8:58:54 PM - Removed Norton AntiVirus 2003
RP1248: 5/23/2009 6:59:14 AM - Software Distribution Service 3.0
RP1249: 5/24/2009 7:56:15 AM - System Checkpoint
RP1250: 5/25/2009 8:56:13 AM - System Checkpoint
RP1251: 5/26/2009 5:58:56 AM - Restore Operation
RP1252: 5/27/2009 1:12:41 AM - System Checkpoint
RP1253: 5/28/2009 1:39:42 AM - System Checkpoint
RP1254: 5/29/2009 8:15:37 AM - System Checkpoint

==== Installed Programs ======================

5500
5500_Help
5500Tour
5500Trb
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0 Professional
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
AIM 6.0
AiO_Scan
AiOSoftware
Amicus Accounting
Amicus Administrator
Amicus Attorney
Ancient Trijong and Maui Wowee
AOL Instant Messenger
ArcSoft Camera Suite
Avira AntiVir Personal - Free Antivirus
BufferChm
CCScore
Compatibility Pack for the 2007 Office system
Copy
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CutePDF Writer 2.7
Dell Driver Reset Tool
Dell System Restore
Destinations
Director
DocProc
DocumentViewer
DVD Decrypter (Remove Only)
eFax Messenger 4.3
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
FairCom Crystal Driver
Fax
GdiplusUpgrade
GE UltraCam
HijackThis 2.0.2
HLPIndex
HLPRFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
hpmdtab
HPODiscovery
HPSystemDiagnostics
HyperCam 2
InstantShare
Intel® Extreme Graphics 2 Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet for Wired Connections
Internet Explorer Default Page
interneTIFF 7.0-Professional (IE Browser)
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Kodak EasyShare software
KSU
LG USB Drivers
LG USB Modem Drivers
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (1.5.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Norton WMI Update
Notifier
OTtBPSDK
overland
Panda ActiveScan 2.0
PCDADDIN
PCDHELP
PCT-SAFE Editor 1.0
PCT-SAFE Editor 1.98
PCT-SAFE Editor Conversion Components
PCT-SAFE Online Filing
PhotoGallery
PrintScreen
ProductContext
QFolder
Qualxserve Service Agreement
QuickBooks Pro 2005
QuickProjects
QuickTime
Readme
RealPlayer
Scan
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
SFR
SHASTA
SKIN0001
SkinsHP1
SkinsHP2
SKINXSDK
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
TrayApp
Unity Web Player
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VistaPrint Electronic Business Card
VPRINTOL
WebFldrs XP
WebReg
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
WinZip
WIRELESS
WordPerfect Office 12

==== Event Viewer Messages From Past Week ========

5/30/2009 9:49:24 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Automatic LiveUpdate Scheduler service to connect.
5/30/2009 9:49:24 AM, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/28/2009 2:29:39 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
5/25/2009 5:05:56 PM, error: Service Control Manager [7000] - The Windows Management Licence Service service failed to start due to the following error: The system cannot find the file specified.
5/25/2009 5:04:37 PM, error: NETLOGON [5719] - No Domain Controller is available for domain IPLS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
5/23/2009 8:57:53 AM, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
5/23/2009 8:23:21 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070652: Security Update for Microsoft PowerPoint 2003 (KB957784).

==== End Of File ===========================

#16 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 30 May 2009 - 10:39 PM

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::

AtJob::

Driver::
cc9b6bee
WMSLService
awtqo

Folder::
C:\32788R22FWJFW(2)

File::
c:\windows\system32\rurobahe.exe
c:\windows\system32\.cc9b6bee\cc9b6bee.exe
c:\windows\inf\svchost.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqo]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cc9b6bee]

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
With all other applications closed (Taskbar empty), open HijackThis again
and run Do a system scan only and place a check mark on the following items.
  • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
  • O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
  • O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
  • O4 - Startup: Imation_Flash_Detect.lnk = C:\Documents and Settings\KLO.IPLS\Local Settings\Temp\Imation\USB_ImationFlashDetect.exe
  • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • O20 - Winlogon Notify: awtqo - C:\WINDOWS\
    Then Quit All Browsers including the one you're reading this in now.
    Then click on Fix checked and then quit HJT

STEP 03
Update and Scan with Malwarebytes' Anti-Malware
  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Then post back the MBAM log and a new Hijackthis log.

STEP 04
Please uninstall the following software.
Panda ActiveScan 2.0 Anti-Virus software used before and is still loading driver. Your AV appears to be Avira now so please remove this one. Control Panel, Add/Remove

These versions of Adobe Acrobat are potentially exploited. I would recommend removal and install the latest 9.1.1 Adobe Reader. Then also check for Adobe updates for critical security updates.
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Adobe Reader 8.1.2


Same here... Flash player should be removed and updated to 10.x from Adobe
Adobe Flash Player 9 ActiveX

Nothing wrong here, just seems an odd program for a Law Office :-)
DVD Decrypter (Remove Only)

These are all from Symantec / Norton but I don't see their main programs on the system anymore. If you had Norton AV or similar before and no longer using then you can remove these 3 items.
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Norton WMI Update


One or both of these versions are old and should be removed and updated if you want to continue to use them.
DO NOT use the TEA TIMER though. In fact just leave Spybot alone until we're all done.
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4


These Java versions have been exploited and need to be removed.
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2


Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA
J2SE Runtime Environment 5.0 Update 12
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2


Then run this tool to help cleanup any left over Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer (or other web browser) before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it back when you reply

    Then look for the following Java folders and if found delete them.
    C:\Program Files\Java
    C:\Program Files\Common Files\Java
    C:\Windows\Sun
    C:\Documents and Settings\All Users\Application Data\Java
    C:\Documents and Settings\All Users\Application Data\Sun\Java
    C:\Documents and Settings\username\Application Data\Java
    C:\Documents and Settings\username\Application Data\Sun\Java


STEP 05
Once the other software has been removed then run this.
  • Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup219.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 06
Restart the computer

STEP 07
Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 13.
  • Go to http://java.sun.com/...loads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 13 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u13-windows-i586-p.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#17 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 31 May 2009 - 04:39 AM

Thank you, thank you, thank you!!

I tried to follow your instructions, but have had some problems/questions.


STEP 01


Done


STEP 02


Done

However could not find

O4 - HKLM\..\ RunOnce: [Malware . . . .
O20 - Winlogon Notify . . . .


STEP 03


MBAM Log


Malwarebytes' Anti-Malware 1.37
Database version: 2199
Windows 5.1.2600 Service Pack 2

5/31/2009 3:55:28 AM
mbam-log-2009-05-31 (03-55-28).txt

Scan type: Quick Scan
Objects scanned: 98421
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HJT Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:10 AM, on 5/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PCT-SAFE\Firebird\Bin\fbguard.exe
C:\PCT-SAFE\Firebird\Bin\fbserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/eng/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.saas-elearn.org
O15 - Trusted Zone: mail.theiplawgroup.com
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave...eb.1.0.0.21.cab
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave...eb.1.0.0.12.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave...Web.1.0.0.9.cab
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180...ZWDLManager.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.black...M-PwpClient.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128752109638
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave...esPlayer_v5.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe
O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7866 bytes


FYI - The Shockwave stuff can go - the kids are not supposed to be using my computer for this.


STEP 04

Panda ActiveScan 2.0 - removed

Adobe Acrobat - Reader 6.0.2 Update - removed

Adobe Reader 6.0.1 - removed

Adobe Reader 8.1.2 - removed

DVD Decrypter - my son needed this for school Just work from home (IP Law - patent, trademark, international) where possible to spend as much time with the kids while they are still kids. I am a ChemE and frustrated with hubby's IT department which "cleaned" my computer early this year after it locked up - upon return found and deleted an additional 189 viruses/trojans. I am now trying to do it myself. :) In my copious spare time of course. I just do not know how you do this. But I am EXTREMELY grateful.

LiveReg - removed

LiveUpdate3.0 - removed

Norton WMI Update - removed

Spybot - left alone for now


J2SE Runtime Environment 5.0 Update 12 - NOT FOUND


Java 2 Runtime Environment, SE v1.4.2_03 - removed

Java™ 6 Update 2 - removed


Used JavaRa and removed all but the "Sun" folders as they could not be found.


STEP 05

Ran CCleaner - On step for Registry - did not see uncheck Registry Integrity - so unchecked all


STEP 06


Done - after each step I did this - just using an over abundance of caution - also do this after each scan.



STEP 07


Did not do yet.

They had Update 14, Update 13 HavaFX SDK, Update 13 Java EE, and Update 13 Netbeans 6.5.1.

Which do I use??



Also will Acrobat and Acrobat Flash shortly. After all this junk is cleared up and you give the go ahead.


THANKS, THANKS, THANKS!!

FriscoGirl

From Frisco, NC - not the city by the bay. Though both are absolutely gorgeous.

#18 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 31 May 2009 - 09:07 PM

Great, those other errors and missing items are due to the other program removing them for us so no issue there.

How is the computer running now? Are there still any signs of an infection?

Yes it seems Java updated to 14 a couple days ago. Here is an updated message for that.

Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 14.
  • Go to http://java.sun.com/...loads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 14 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says jre-6u14-windows-i586.exe and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  • Uncheck the Toolbar button (unless you want the toolbar)
  • Reboot your computer




After you do that then lets do an Online AV scan to make sure nothing else is found.

This will take a while to download and run so get a snack and some coffee


Run Kaspersky Online AV Scanner

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook


#19 FriscoGirl

FriscoGirl

    New Member

  • Members
  • Pip
  • 19 posts

Posted 01 June 2009 - 06:54 AM

The computer is running much better. I can now update and run Avira and Malwarebytes. I can now also access My Computer and the Control Panel. Firefox keeps crashing - perhaps it is just a feature of Firefox. But it seems more secure than IE.

What do I do now??

The Kaspersky Log is


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 1, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 01, 2009 08:41:31
Records in database: 2289664
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 94504
Threat name: 5
Infected objects: 31
Suspicious objects: 0
Duration of the scan: 03:14:56


File name / Threat name / Threats count
C:\Documents and Settings\KLO.IPLS\Desktop\Programs\SUPPORT.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 2
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehjcrz.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jgamxv.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jlpsoq.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kenayiba.dll.vir Infected: Packed.Win32.Krap.p 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\litijihi.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mrfohd.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mupdvm.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nafazoye.dll.vir Infected: Trojan-Downloader.Win32.Agent.bhiy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nwlics.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pivtrt.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\togehupe.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wilawape.dll.vir Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1235\A0108707.dll Infected: Trojan-Downloader.Win32.Agent.bhjb 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1235\A0108708.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1235\A0108709.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1244\A0142351.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1246\A0160005.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0162992.dll Infected: Trojan-Downloader.Win32.Agent.bhiy 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163008.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163009.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163010.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163011.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163012.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163013.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163014.dll Infected: Trojan-Downloader.Win32.Agent.bhiy 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163015.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163021.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163023.dll Infected: Trojan.Win32.Agent.bqeg 1
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1253\A0163026.dll Infected: Trojan.Win32.Agent.bqeg 1

The selected area was scanned.


HJT Log is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:52 AM, on 6/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\PCT-SAFE\Firebird\Bin\fbguard.exe
C:\PCT-SAFE\Firebird\Bin\fbserver.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\KLO.IPLS\Local Settings\temp\jkos-klo\binaries\ScanningProcess.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ixquick.com/eng/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: http://*.saas-elearn.org
O15 - Trusted Zone: mail.theiplawgroup.com
O16 - DPF: {049A470D-F818-4E34-B14D-E4E237DADCF8} (CPlayFirstFashionDasControl Object) - http://www.shockwave...eb.1.0.0.21.cab
O16 - DPF: {055B4212-4C81-448E-AFA9-C3CA4AAE8F95} (CPlayFirstDairyDashWControl Object) - http://www.shockwave...eb.1.0.0.12.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://www.shockwave...Web.1.0.0.9.cab
O16 - DPF: {1A595EDD-978A-48C7-B730-AF3B9CC64DAB} (DLManager Class) - http://63.251.81.180...ZWDLManager.cab
O16 - DPF: {3269A168-A467-4236-9D77-FF36D8DFB20F} - https://bis.na.black...M-PwpClient.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp...ads/sysinfo.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://www.shockwave...ash.1.0.0.6.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128752109638
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave...esPlayer_v5.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\Software\..\Telephony: DomainName = iplawspecialists.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED39E28C-66FE-4B6F-A17A-E54DA18EAECB}: NameServer = 10.0.1.2,209.183.205.35
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = iplawspecialists.com
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: FireBird Guardian Server (FireBirdGuardian) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbguard.exe
O23 - Service: FireBird Database Server (FireBirdServer) - The Firebird Project - C:\PCT-SAFE\Firebird\Bin\fbserver.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7873 bytes

#20 AdvancedSetup

AdvancedSetup

    Staff

  • Root Admin
  • PipPipPipPipPipPip
  • 41,130 posts
  • Gender:Male
  • Location:US

Posted 01 June 2009 - 01:39 PM

All looks good now.

Those items that Kaspersky found were normal. They were already removed or sitting in the System Restore so make sure you clean out the System Restore as shown below. As for Firefox crashing I would export out the bookmarks and then start uninstalling any plugins and see how it starts to run. If still problematic then do a full uninstall and ensure that all profiles are also removed. Then download the latest version and reinstall it. If you're still having issues with it then open a NEW post in the PC Help forum and we can take a closer look at that.

You can also uninstall the Kaspersky now.

Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A

Uninstall ComboFix.exe

  • Click START then RUN
  • Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • Posted Image

  • When shown the disclaimer, Select "2"
Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed


STEP B

Uninstall GMER
Click on START - RUN and type in or copy/paste %windir%\gmer_uninstall.cmd to remove GMER.


STEP C

Uninstall other tools
Please Download OTMoveIt3 by Old Timer and save it to your Desktop.

  • Double-click OTMoveIt3.exe to run it.
  • While connected to the Internet, Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
  • It should ask if you want to clean up, select Yes and allow the system to clean up these items.
    NOW please reboot your computer to finish the cleanup process





Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?


At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the new Restore Point a name, then click "Create".
  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use the Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr.exe
  • Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
  • On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Posted Image Posted Image


Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore


Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org


Ron Lewis
Forum Community Manager

staff.png

Follow us: Twitter, Become a fan: Facebook





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users