Author Topic: STILL HAVING PROBLEMS, PLEASE HELP!! (Read 14261 times)

mcummings36 · « **on:** December 06, 2008, 03:38:15 PM »

I've done everything I can find to do on this site, except for the suggestions that specifically state not to use unless they are posted for you. My computer is still not working right! If someone wouldn't mind continuing to help me out, I'd be truly grateful!! Thanks!!

evilfantasy · « **Reply #1 on:** December 06, 2008, 04:22:52 PM »

Start here http://www.computerhope.com/forum/index.php/topic,46313.msg290095.html#msg290095

Post the 3 logs when complete.

mcummings36 · « **Reply #2 on:** December 06, 2008, 06:29:35 PM »

Okay, I did all of those steps before, did I do something wrong? To start with, here are some of the programs in the add/remove programs that I don't recognize. There were others that I deleted before I found this site as well.

Microsoft.NET Framework 1.1

Microsoft.NET Framework 1.1 Hotfix

Microsoft.NET Framework 2.0 Service Pack 1

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft User-mode Driver Framework Feature Pack 1.0

Microsoft Visual C++2005 Redistributable

Microstaff WINASPI

MSXML 4.0 SP2 (KB954430)

Here is the SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/04/2008 at 05:38 PM

Application Version : 4.22.1014

Core Rules Database Version : 3660
Trace Rules Database Version: 1640

Scan type : Quick Scan
Total Scan Time : 00:18:20

Memory items scanned : 484
Memory threats detected : 1
Registry items scanned : 527
Registry threats detected : 12
File items scanned : 14661
File threats detected : 48

Adware.Gudmun/Resident
   C:\WINDOWS\SYSTEM32\YEMIKOME.DLL
   C:\WINDOWS\SYSTEM32\YEMIKOME.DLL

Adware.Vundo Variant
   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
   HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
   HKCR\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32
   HKCR\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
   C:\WINDOWS\SYSTEM32\BIHIRUPI.DLL
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#SSODL
   HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Adware.Tracking Cookie
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@overture[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@collective-media[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@specificclick[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@advertising[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@apmebf[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@zedo[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@doubleclick[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@indexstats[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@atdmt[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@clickbank[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][3].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@indextools[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@directtrack[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@mediaplex[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@tribalfusion[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@247realmedia[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@adrevolver[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@hitbox[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@bizrate[1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@fastclick[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@realmedia[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@specificmedia[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][1].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\[email protected][2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@tradedoubler[2].txt
   C:\Documents and Settings\Christopher Apostle\Cookies\christopher_apostle@questionmarket[2].txt

Adware.Vundo Variant/Rel
   HKLM\SOFTWARE\Microsoft\contim
   HKLM\SOFTWARE\Microsoft\contim#SysShell
   HKLM\SOFTWARE\Microsoft\rdfa
   HKLM\SOFTWARE\Microsoft\rdfa#F
   HKLM\SOFTWARE\Microsoft\rdfa#N

Trojan.Fake-Alert/Trace
   HKU\S-1-5-21-1326281953-3321796711-1604036775-1005\SOFTWARE\Microsoft\fias4013

Here is the malware log:

Malwarebytes' Anti-Malware 1.30
Database version: 1427
Windows 5.1.2600 Service Pack 3

12/4/2008 8:08:47 PM
mbam-log-2008-12-04 (20-08-47).txt

Scan type: Quick Scan
Objects scanned: 62071
Time elapsed: 9 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\sivamube.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\bihirupi.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97ac04e0-ac33-46a1-8bc3-13a16ac850b6} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{97ac04e0-ac33-46a1-8bc3-13a16ac850b6} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54363217 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5705018b (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruzanidipi (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\bihirupi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\bihirupi.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\sivamube.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ebumavis.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\yumuyofu.dll (Trojan.BHO.H) -> Delete on reboot.
c:\WINDOWS\SYSTEM32\bihirupi.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\yelerige.dll (Trojan.Agent) -> Delete on reboot.

evilfantasy · « **Reply #3 on:** December 06, 2008, 06:36:40 PM »

Quote from: mcummings36 on December 06, 2008, 06:29:35 PM

Okay, I did all of those steps before, did I do something wrong?

You didn't post the logs so we can see what we are trying to fix

The add/remove programs are all legitimate.

Quote

My computer is still not working right!

This leaves endless possibilities. What exactly does "not working right" include? It doesn't have to be an elaborate description but you need to let me know more then that.

You still need to post the HijackThis log also.

mcummings36 · « **Reply #4 on:** December 06, 2008, 06:45:44 PM »

Also did the Java step, I did NOT do the cleaner, I downloaded the program, but because of the note at the bottom about not using it unless you know what you're doing, I did not want to take the chance. Here is the HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:58 PM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - (no file)
O2 - BHO: (no name) - {97ac04e0-ac33-46a1-8bc3-13a16ac850b6} - C:\WINDOWS\system32\yumuyofu.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [cat]
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ruzanidipi] Rundll32.exe "C:\WINDOWS\system32\yelerige.dll",s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RCUI] "C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe"
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader55.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O20 - AppInit_DLLs: c:\windows\system32\tukamaho.dll c:\windows\system32\fidebipi.dll c:\windows\system32\tanetezo.dll c:\windows\system32\kofidutu.dll ,C:\WINDOWS\system32\vifapira.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8050 bytes

Sorry, I didn't see that I had to attach them, I thought you wanted them copied and pasted. Please let me know what other info you need.
My biggest problem is that I'll get online, and will be fine for a while, then I can't go anywhere, I can get to some sites, just their main page, can't go any farther. Some sites won't load at all. I cannot do a system restore. I have some wierd error messages on start up, etc...Some of this info is in my other post too. Thanks!!!

mcummings36 · « **Reply #5 on:** December 06, 2008, 06:47:59 PM »

You didn't post the logs so we can see what we are trying to fix

I did post them, I swear! I'm not sure why they wouldn't have come up, I attached them??
A couple of other things that are wierd, and I'm trying to remember everything so you know all of it, but there's a lot! One question I had is, with these spyware, antivirus and etc...programs, why do they keep coming up with the same viruses? I do what they tell me to do when the scans are complete, I either remove or quarantine them, but then in a few hours I cannot do what I need to on the net, so I run the scans again, and it seems like the viruses are the same.
On start up I have this HUGE file, system 32 that opens up. Never happened before a few days ago. It's got so much crap in it, and it's all really old, dates like 2001, 2002, etc...I didn't even get this computer until 2005.
Pop ups are still an issue, just once in a while, but I never had any before, and I keep getting that pop down menu from the internet explorer bar about not letting sites download certain info, etc....

evilfantasy · « **Reply #6 on:** December 07, 2008, 01:34:52 PM »

Run CCleaner. If you look at the instructions the part about not running it is talking about the Registry cleaner built into CCleaner.

Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

Download SDFix by AndyManchesta and save it to your desktop.

When using this tool, you must use the Administrator's account or an account with Administrative rights

Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix).
DO NOT use it just yet.

Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Open the SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

mcummings36 · « **Reply #7 on:** December 07, 2008, 09:58:43 PM »

Okay, I ran the cleaner, and I downloaded the SDFix, but there is not RunThis.bat option when I open or click on the icon. I'm assuming I do not have administrative rights?

I try to log in under administrator, but it asks me for a password, which I don't have. (Bought this used) I did log in in Safe Mode, but there just isn't anything called RunThis.bat. Now what?

mcummings36 · « **Reply #8 on:** December 07, 2008, 10:01:43 PM »

I actually was able to look up the administrator on "My Computer" and it says it is me, and there is no password for my name, so maybe that isn't it? I'm not sure how to check on this type of thing.

mcummings36 · « **Reply #9 on:** December 07, 2008, 11:33:54 PM »

I just went in to add/remove programs, because I was going to remove SDFix and reinstall it, incase I did something wrong, and it's not even there. God, I'm going to lose my mind@!!!!!!!

evilfantasy · « **Reply #10 on:** December 08, 2008, 02:32:44 AM »

Double click SDFix and allow it to install, then boot into safe mode.

Once in Safe Mode:

Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat

Then press the OK button.

Follow through with the rest of the instructions.

mcummings36 · « **Reply #11 on:** December 08, 2008, 11:07:03 AM »

I can't type anything when I'm in safe mode. And when I try, it freezes up my computer. This is the second time I've tried to do something in safe mode, and am unable to.

evilfantasy · « **Reply #12 on:** December 08, 2008, 03:04:05 PM »

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O2 - BHO: (no name) - SOFTWARE - (no file)
- O2 - BHO: (no name) - {8151A608-00FB-4D5C-8B8D-40E239E32A42} - (no file)
- O2 - BHO: (no name) - {97ac04e0-ac33-46a1-8bc3-13a16ac850b6} - C:\WINDOWS\system32\yumuyofu.dll (file missing)
- O4 - HKLM\..\Run: [ruzanidipi] Rundll32.exe "C:\WINDOWS\system32\yelerige.dll",s
- O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)
- O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\system32\ms.exe (file missing)
- O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstall er.exe
- O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
- O20 - AppInit_DLLs: c:\windows\system32\tukamaho.dll c:\windows\system32\fidebipi.dll c:\windows\system32\tanetezo.dll c:\windows\system32\kofidutu.dll ,C:\WINDOWS\system32\vifapira.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis and restart the computer to register the changes made by HijackThis.

----------

Can you update MalwareBytes and run a full scan with it then post the log?

mcummings36 · « **Reply #13 on:** December 08, 2008, 08:05:45 PM »

Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 3

12/8/2008 7:55:58 PM
mbam-log-2008-12-08 (19-55-58).txt

Scan type: Full Scan (C:\|)
Objects scanned: 142483
Time elapsed: 1 hour(s), 28 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 5
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\bamezafu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wuyojogi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\nimuhoke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\holuyibi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97ac04e0-ac33-46a1-8bc3-13a16ac850b6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97ac04e0-ac33-46a1-8bc3-13a16ac850b6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97ac04e0-ac33-46a1-8bc3-13a16ac850b6} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\54363217 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5705018b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ruzanidipi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wuyojogi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wuyojogi.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wuyojogi.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\bamezafu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\ufazemab.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\holuyibi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\nimuhoke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\wuyojogi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1767\A0138544.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1767\A0138545.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1767\A0138547.dll (Rogue.AscentivePerformance) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1783\A0142998.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1787\A0151017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\dayoyadu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\nunuluna.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\kuyubuza.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

evilfantasy · « **Reply #14 on:** December 08, 2008, 09:20:46 PM »

Can you run the instructions from here now > http://www.computerhope.com/forum/index.php/topic,71792.msg468514.html#msg468514

mcummings36 · « **Reply #15 on:** December 09, 2008, 12:56:09 AM »

Piece of crap still won't work. Can't do anything in safe mode. The minute I try to type something in that line after I hit run the piece of crap freezes up. Now what? Sorry, I've just been at this about 12-16 hours a day for the last 2 weeks, and I'm ready to give up. This things been a total pile of junk since I got it, I should have sued the idiot that sold it to me.
Does any of this have to do with the huge "system 32" file that now magically opens up when I boot up? That never happened before, and none of the crap that's in that file is mine. I'm sure it's taking up 90% of what little memory or whatever that I have.

evilfantasy · « **Reply #16 on:** December 09, 2008, 10:43:42 AM »

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

mcummings36 · « **Reply #17 on:** December 10, 2008, 12:11:29 AM »

Here are the logs you asked for. The first is part of ComboFix, I had to post it in two different posts because it is so long. Hijack This follows. Thanks!!

ComboFix 08-12-07.04 - Christopher Apostle 2008-12-10 0:00:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.351 [GMT -7:00]
Running from: c:\documents and settings\Christopher Apostle\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\uninstall information
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\settings.dat
c:\program files\Need2Find\bar\Settings\settings.htm
c:\windows\system32\cache329
c:\windows\system32\cache329\B_134000.htm
c:\windows\system32\cache329\B_329_0_0_105300.htm
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_0_0_446700.htm
c:\windows\system32\cache329\B_329_0_0_446800.htm
c:\windows\system32\cache329\B_329_0_0_446900.htm
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.gif
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_2_0_446700.htm
c:\windows\system32\cache329\B_329_2_0_446800.htm
c:\windows\system32\cache329\B_329_2_0_446900.htm
c:\windows\system32\cache329\B_329_3_0_105300.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_446700.htm
c:\windows\system32\cache329\B_329_3_0_446800.htm
c:\windows\system32\cache329\B_329_3_0_446900.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\B_329_4_0_448200.htm
c:\windows\system32\cache329\B_329_4_0_448300.htm
c:\windows\system32\cache329\B_329_4_0_453400.htm
c:\windows\system32\cache329\t_B_134000.htm
c:\windows\system32\cache329\t_B_329_0_0_105300.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_0_0_446700.htm
c:\windows\system32\cache329\t_B_329_0_0_446800.htm
c:\windows\system32\cache329\t_B_329_0_0_446900.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_2_0_446700.htm
c:\windows\system32\cache329\t_B_329_2_0_446800.htm
c:\windows\system32\cache329\t_B_329_2_0_446900.htm
c:\windows\system32\cache329\t_B_329_3_0_105300.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_446700.htm
c:\windows\system32\cache329\t_B_329_3_0_446800.htm
c:\windows\system32\cache329\t_B_329_3_0_446900.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_4_0_448200.htm
c:\windows\system32\cache329\t_B_329_4_0_448300.htm
c:\windows\system32\cache329\t_B_329_4_0_453400.htm
c:\windows\system32\elikabut.ini
c:\windows\system32\ezimelet.ini
c:\windows\system32\irezasos.ini
c:\windows\system32\iyimogov.ini
c:\windows\system32\mudagisi.dll
c:\windows\system32\upiyedef.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-07 21:49 . 2008-11-06 02:03   <DIR>   d--------   C:\SDFix
2008-12-04 19:29 . 2008-04-13 18:12   116,224   --a------   c:\windows\SYSTEM32\DLLCACHE\xrxwiadr.dll
2008-12-04 19:29 . 2001-08-17 22:37   27,648   --a------   c:\windows\SYSTEM32\DLLCACHE\xrxftplt.exe
2008-12-04 19:29 . 2001-08-17 22:36   23,040   --a------   c:\windows\SYSTEM32\DLLCACHE\xrxwbtmp.dll
2008-12-04 19:29 . 2008-04-13 18:12   18,944   --a------   c:\windows\SYSTEM32\DLLCACHE\xrxscnui.dll
2008-12-04 19:29 . 2001-08-17 22:37   4,608   --a------   c:\windows\SYSTEM32\DLLCACHE\xrxflnch.exe
2008-12-04 19:28 . 2001-08-17 13:28   771,581   --a------   c:\windows\SYSTEM32\DLLCACHE\winacisa.sys
2008-12-04 19:28 . 2002-08-28 20:59   154,624   --a------   c:\windows\SYSTEM32\DLLCACHE\wlluc48.sys
2008-12-04 19:28 . 2001-08-17 22:37   99,865   --a------   c:\windows\SYSTEM32\DLLCACHE\xlog.exe
2008-12-04 19:28 . 2001-08-17 22:36   87,040   --a------   c:\windows\SYSTEM32\DLLCACHE\wiafbdrv.dll
2008-12-04 19:28 . 2001-08-17 22:36   53,760   --a------   c:\windows\SYSTEM32\DLLCACHE\wiamsmud.dll
2008-12-04 19:28 . 2002-08-29 03:00   41,600   --a------   c:\windows\SYSTEM32\DLLCACHE\weitekp9.dll
2008-12-04 19:28 . 2001-08-17 12:12   34,890   --a------   c:\windows\SYSTEM32\DLLCACHE\wlandrv2.sys
2008-12-04 19:28 . 2002-08-29 03:00   31,232   --a------   c:\windows\SYSTEM32\DLLCACHE\weitekp9.sys
2008-12-04 19:28 . 2001-08-17 12:11   16,970   --a------   c:\windows\SYSTEM32\DLLCACHE\xem336n5.sys
2008-12-04 19:28 . 2008-04-13 12:36   8,832   --a------   c:\windows\SYSTEM32\DLLCACHE\wmiacpi.sys
2008-12-04 19:28 . 2008-04-13 18:12   8,192   --a------   c:\windows\SYSTEM32\DLLCACHE\wshirda.dll
2008-12-04 19:26 . 2001-08-17 12:18   285,760   --a------   c:\windows\SYSTEM32\DLLCACHE\stlnata.sys
2008-12-04 19:25 . 2001-08-17 22:36   495,616   --a------   c:\windows\SYSTEM32\DLLCACHE\sblfx.dll
2008-12-04 19:24 . 2001-08-17 13:28   899,146   --a------   c:\windows\SYSTEM32\DLLCACHE\r2mdkxga.sys
2008-12-04 19:23 . 2008-08-14 02:33   2,023,936   --a------   c:\windows\SYSTEM32\DLLCACHE\OLD3DE.tmp
2008-12-04 19:22 . 2002-08-28 20:59   132,695   --a------   c:\windows\SYSTEM32\DLLCACHE\netwlan5.sys
2008-12-04 19:21 . 2001-08-17 13:28   802,683   --a------   c:\windows\SYSTEM32\DLLCACHE\ltsm.sys
2008-12-04 19:20 . 2008-04-13 18:11   253,952   --a------   c:\windows\SYSTEM32\DLLCACHE\kdsusd.dll
2008-12-04 19:19 . 2001-08-17 13:28   542,879   --a------   c:\windows\SYSTEM32\DLLCACHE\hsf_msft.sys
2008-12-04 19:18 . 2001-08-17 14:56   1,733,120   --a------   c:\windows\SYSTEM32\DLLCACHE\g400d.dll
2008-12-04 19:17 . 2001-08-17 12:14   952,007   --a------   c:\windows\SYSTEM32\DLLCACHE\diwan.sys
2008-12-04 19:16 . 2001-08-17 22:36   614,429   --a------   c:\windows\SYSTEM32\DLLCACHE\digiview.exe
2008-12-04 19:15 . 2001-08-17 12:13   980,034   --a------   c:\windows\SYSTEM32\DLLCACHE\cicap.sys
2008-12-04 19:14 . 2001-08-17 13:28   871,388   --a------   c:\windows\SYSTEM32\DLLCACHE\bcmdm.sys
2008-12-04 19:13 . 2001-08-17 12:19   747,392   --a------   c:\windows\SYSTEM32\DLLCACHE\adm8830.sys
2008-12-04 19:12 . 2008-08-14 03:09   2,145,280   --a------   c:\windows\SYSTEM32\DLLCACHE\OLD2B.tmp
2008-12-04 19:12 . 2001-08-17 13:28   762,780   --a------   c:\windows\SYSTEM32\DLLCACHE\3cwmcru.sys
2008-12-04 19:12 . 2001-08-17 14:55   689,216   --a------   c:\windows\SYSTEM32\DLLCACHE\3dfxvs.dll
2008-12-04 19:12 . 2001-08-17 12:48   148,352   --a------   c:\windows\SYSTEM32\DLLCACHE\3dfxvsm.sys
2008-12-04 19:12 . 2001-08-17 14:56   66,048   --a------   c:\windows\SYSTEM32\DLLCACHE\s3legacy.dll
2008-12-04 19:12 . 2008-04-13 12:46   53,376   --a------   c:\windows\SYSTEM32\DLLCACHE\1394bus.sys
2008-12-04 19:12 . 2008-04-13 12:40   12,288   --a------   c:\windows\SYSTEM32\DLLCACHE\4mmdat.sys
2008-12-04 19:12 . 2001-08-17 14:06   11,264   --a------   c:\windows\SYSTEM32\DLLCACHE\1394vdbg.sys
2008-12-04 19:12 . 2002-08-29 03:00   7,168   --a------   c:\windows\SYSTEM32\DLLCACHE\wamregps.dll
2008-12-04 19:11 . 2002-08-29 03:00   169,984   --a------   c:\windows\SYSTEM32\DLLCACHE\iisui.dll
2008-12-04 19:11 . 2002-08-29 03:00   94,720   --a------   c:\windows\SYSTEM32\DLLCACHE\certmap.ocx
2008-12-04 19:11 . 2002-08-29 03:00   19,968   --a------   c:\windows\SYSTEM32\DLLCACHE\inetsloc.dll
2008-12-04 19:11 . 2002-08-29 03:00   14,336   --a------   c:\windows\SYSTEM32\DLLCACHE\iisreset.exe
2008-12-04 19:11 . 2002-08-29 03:00   7,680   --a------   c:\windows\SYSTEM32\DLLCACHE\inetmgr.exe
2008-12-04 19:11 . 2002-08-29 03:00   6,144   --a------   c:\windows\SYSTEM32\DLLCACHE\ftpsapi2.dll
2008-12-04 19:11 . 2002-08-29 03:00   5,632   --a------   c:\windows\SYSTEM32\DLLCACHE\iisrstap.dll
2008-12-03 19:13 . 2008-12-03 19:30   <DIR>   d--------   c:\documents and settings\Christopher Apostle\Incomplete
2008-12-02 16:53 . 2008-12-02 16:53   <DIR>   d--------   c:\program files\AMT
2008-12-02 15:39 . 2008-12-09 10:22   <DIR>   d--------   c:\program files\SUPERAntiSpyware
2008-12-02 15:39 . 2008-12-02 15:39   <DIR>   d--------   c:\documents and settings\Christopher Apostle\Application Data\SUPERAntiSpyware.com
2008-12-02 15:39 . 2008-12-02 15:39   <DIR>   d--------   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-12-02 15:38 . 2008-12-02 15:38   <DIR>   d--------   c:\program files\Common Files\Wise Installation Wizard
2008-12-02 15:26 . 2008-12-07 21:39   <DIR>   d--------   c:\program files\CCleaner
2008-12-02 14:46 . 2008-12-02 14:46   <DIR>   d--------   c:\program files\TechTracker
2008-12-02 14:46 . 2008-12-02 14:54   <DIR>   d--------   c:\documents and settings\Christopher Apostle\Application Data\VersionTracker Pro
2008-12-02 14:40 . 2008-12-02 14:40   <DIR>   d--------   c:\program files\Trend Micro
2008-12-01 23:02 . 2008-12-01 23:02   <DIR>   d--------   c:\program files\CAT
2008-11-29 17:06 . 2008-11-29 17:06   <DIR>   d--------   c:\program files\Alwil Software
2008-11-26 13:54 . 2008-12-08 17:51   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2008-11-26 13:54 . 2008-11-26 13:54   <DIR>   d--------   c:\documents and settings\Christopher Apostle\Application Data\Malwarebytes
2008-11-26 13:54 . 2008-11-26 13:54   <DIR>   d--------   c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-26 13:54 . 2008-12-03 19:52   38,496   --a------   c:\windows\SYSTEM32\DRIVERS\mbamswissarmy.sys
2008-11-26 13:54 . 2008-12-03 19:52   15,504   --a------   c:\windows\SYSTEM32\DRIVERS\mbam.sys
2008-11-18 17:31 . 2008-02-05 16:05   1,009,664   --a------   c:\windows\SYSTEM32\Ltwvc13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   453,120   --a------   c:\windows\SYSTEM32\ltkrn13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   445,440   --a------   c:\windows\SYSTEM32\ltimg13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   388,608   --a------   c:\windows\SYSTEM32\LFCMP13n.DLL
2008-11-18 17:31 . 2008-02-05 16:05   265,216   --a------   c:\windows\SYSTEM32\LTDIS13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   246,272   --a------   c:\windows\SYSTEM32\LFJ2K13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   206,848   --a------   c:\windows\SYSTEM32\ltefx13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   182,784   --a------   c:\windows\SYSTEM32\Lfpng13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   154,112   --a------   c:\windows\SYSTEM32\ltfil13n.DLL
2008-11-18 17:31 . 2008-02-05 16:05   142,848   --a------   c:\windows\SYSTEM32\lftif13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   73,728   --a------   c:\windows\SYSTEM32\lffax13n.dll
2008-11-18 17:31 . 2008-02-05 16:05   30,208   --a------   c:\windows\SYSTEM32\lfbmp13n.dll
2008-11-18 17:30 . 2008-11-18 17:31   <DIR>   d--------   c:\program files\RingCentral
2008-11-18 17:30 . 2008-11-18 18:21   <DIR>   d--------   c:\documents and settings\All Users\Application Data\RingCentral
2008-11-18 11:14 . 2008-11-18 11:15   <DIR>   d--------   c:\documents and settings\Christopher Apostle\tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 02:13   ---------   d-----w   c:\documents and settings\Christopher Apostle\Application Data\LimeWire
2008-12-02 22:31   ---------   d-----w   c:\program files\Java
2008-12-02 17:43   ---------   d-----w   c:\program files\Web Publish
2008-12-02 17:43   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2008-12-02 17:43   ---------   d-----w   c:\program files\Motherboard Monitor 5
2008-12-02 17:43   ---------   d-----w   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 02:58   ---------   d-----w   c:\program files\Viewpoint
2008-12-02 02:58   ---------   d-----w   c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-10 12:43   410,984   ----a-w   c:\windows\SYSTEM32\deploytk.dll
2008-11-03 05:40   ---------   d-----w   c:\documents and settings\Christopher Apostle\Application Data\Image Zone Express
2008-11-03 02:52   ---------   d-----w   c:\program files\MSECache
2008-11-02 11:31   ---------   d-----w   c:\documents and settings\Christopher Apostle\Application Data\InstallShield
2008-11-02 11:29   ---------   d--h--w   c:\program files\InstallShield Installation Information
2008-10-31 05:56   ---------   d-----w   c:\documents and settings\Christopher Apostle\Application Data\eBookPro6
2008-10-28 20:07   ---------   d-----w   c:\documents and settings\All Users\Application Data\PureEdge
2008-10-28 20:06   ---------   d-----w   c:\documents and settings\All Users\Application Data\Amazon
2008-10-24 15:10   ---------   d-----w   c:\documents and settings\Christopher Apostle\Application Data\AdobeUM
2008-10-24 11:21   455,296   ----a-w   c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:21   455,296   ----a-w   c:\windows\SYSTEM32\DLLCACHE\mrxsmb.sys
2008-10-16 21:13   202,776   ----a-w   c:\windows\SYSTEM32\wuweb.dll
2008-10-16 21:13   202,776   ----a-w   c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
2008-10-16 21:13   1,809,944   ----a-w   c:\windows\SYSTEM32\wuaueng.dll
2008-10-16 21:13   1,809,944   ----a-w   c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
2008-10-16 21:12   561,688   ----a-w   c:\windows\SYSTEM32\wuapi.dll
2008-10-16 21:12   561,688   ----a-w   c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
2008-10-16 21:12   323,608   ----a-w   c:\windows\SYSTEM32\wucltui.dll
2008-10-16 21:12   323,608   ----a-w   c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
2008-10-16 21:09   92,696   ----a-w   c:\windows\SYSTEM32\DLLCACHE\cdm.dll
2008-10-16 21:09   92,696   ----a-w   c:\windows\SYSTEM32\cdm.dll
2008-10-16 21:09   51,224   ----a-w   c:\windows\SYSTEM32\wuauclt.exe
2008-10-16 21:09   51,224   ----a-w   c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
2008-10-16 21:09   43,544   ----a-w   c:\windows\SYSTEM32\wups2.dll
2008-10-16 21:08   34,328   ----a-w   c:\windows\SYSTEM32\wups.dll
2008-10-16 21:08   34,328   ----a-w   c:\windows\SYSTEM32\DLLCACHE\wups.dll
2008-10-16 21:06   268,648   ----a-w   c:\windows\SYSTEM32\mucltui.dll
2008-10-16 21:06   208,744   ----a-w   c:\windows\SYSTEM32\muweb.dll
2008-10-15 16:34   337,408   ----a-w   c:\windows\SYSTEM32\DLLCACHE\netapi32.dll
2008-10-03 17:41   6,066,176   ------w   c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
2008-09-30 23:43   1,286,152   ----a-w   c:\windows\SYSTEM32\msxml4.dll
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\SYSTEM32\win32k.sys
2008-09-15 12:12   1,846,400   ----a-w   c:\windows\SYSTEM32\DLLCACHE\win32k.sys
2008-09-10 01:14   1,307,648   ----a-w   c:\windows\SYSTEM32\DLLCACHE\msxml6.dll
2008-09-10 01:14   1,307,648   ------w   c:\windows\SYSTEM32\msxml6.dll
2005-11-29 21:39   236,216   ----a-w   c:\documents and settings\Christopher Apostle\Application Data\GDIPFONTCACHEV1.DAT
2008-04-14 00:12   50,688   --sh--w   c:\windows\twain_32.dll
2005-05-05 04:14   475   --sh--w   c:\windows\SYSTEM32\gglizu.dll
2008-04-14 00:12   11,776   --sh--w   c:\windows\SYSTEM32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

mcummings36 · « **Reply #18 on:** December 10, 2008, 12:11:56 AM »

2nd half of ComboFix log:

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"RCUI"="c:\program files\RingCentral\RingCentral Call Controller\RCUI.exe" [2008-11-12 479232]
"RCHotKey"="c:\program files\RingCentral\RingCentral Call Controller\RCHotKey.exe" [2008-11-12 32768]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-11-17 1805552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-08-19 98304]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 78008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 17:12 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-03-07 21:42 176128 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-08-19 20:31 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\SYSTEM32\\fxsclnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\RingCentral\\RingCentral Call Controller\\RCUI.exe"=
"c:\\Program Files\\Alwil Software\\Avast4\\ashMaiSv.exe"=
"c:\\WINDOWS\\SYSTEM32\\wuauclt.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\jqs.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-11-29 78416]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-11-17 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-11-29 20560]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-11-17 7408]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-11-17 8944]
S3 IPN2120;Instant Wireless-B PCI Adapter Driver;c:\windows\system32\DRIVERS\LSIPNDS.sys [2004-07-01 95232]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{600c93a2-c0cc-11dd-97a4-000bdbb5764c}]
\Shell\AutoRun\command - E:\start.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-09 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\ErrorKiller\ErrorKiller.exe []

2008-12-09 c:\windows\Tasks\ErrorKiller Scheduled Scan.job
- c:\program files\ErrorKiller []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-cat - (no file)
MSConfigStartUp-EPSON Stylus C82 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE
MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
MSConfigStartUp-Nsv - c:\windows\system32\nsvsvc\nsvsvc.exe
MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-Tsa - c:\progra~1\COMMON~1\tsa\tsm.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\SYSTEM32\unicows.dll - c:\windows\Downloaded Program Files\ImageUploader5.ocx
O16 -: {38AB0814-B09B-4378-9940-14A19638C3C2}
hxxp://www.auctiva.com/Aurigma/ImageUploader55.cab
c:\windows\Downloaded Program Files\ImageUploader5.inf
FireFox -: Profile - c:\documents and settings\Christopher Apostle\Application Data\Mozilla\Firefox\Profiles\c10u9v8q.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 00:03:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-12-10 0:04:58
ComboFix-quarantined-files.txt 2008-12-10 07:04:23

Pre-Run: 24,265,408,512 bytes free
Post-Run: 24,297,021,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

337 --- E O F --- 2008-11-12 10:28:04

mcummings36 · « **Reply #19 on:** December 10, 2008, 12:12:26 AM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:13 AM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe
C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\slrundll.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RCUI] "C:\Program Files\RingCentral\RingCentral Call Controller\RCUI.exe"
O4 - HKCU\..\Run: [RCHotKey] "C:\Program Files\RingCentral\RingCentral Call Controller\RCHotKey.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v46/shared/FunGamesLoader.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} (Auctiva Image Uploader Control) - http://www.auctiva.com/Aurigma/ImageUploader55.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 6714 bytes

evilfantasy · « **Reply #20 on:** December 10, 2008, 05:23:13 PM »

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Computer Hope Forum

News:

Author Topic: **STILL HAVING PROBLEMS, PLEASE HELP!!** (Read 14261 times)

mcummings36

evilfantasy

mcummings36

evilfantasy

mcummings36

mcummings36

evilfantasy

mcummings36

mcummings36

mcummings36

evilfantasy

mcummings36

evilfantasy

mcummings36

evilfantasy

mcummings36

evilfantasy

mcummings36

mcummings36

mcummings36

evilfantasy

Author Topic: STILL HAVING PROBLEMS, PLEASE HELP!! (Read 14261 times)