Jump to content


Photo

More Popups...


  • This topic is locked This topic is locked
11 replies to this topic

#1 LaureBelle

LaureBelle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 November 2009 - 03:35 PM

Hi, like most I'm having a popup problem, slowness in everything I do. I am unable to download some of the programs suggested to check for malware/virus, the downloads just churn and nothing comes through. I was able to download Hijack This (probably because it's so small), so I can post that log.

As soon as I bring up a browser, everything slows to a crawl, suddenly a big browser (with no url) opens up offering 'google work from home for $$$' ads, some are large audio/video which start playing, and the only way I can close them is ctrl/alt/del and shut them down. Today while I was on HIjack This page, another browser (about blank) opened and empty browser tabs started replicating exponentially!

I have the feeling that 04 - HKLM\..\Run: [tunemalul] Rundll32.exe "c:\windows\system32\nehaleti.dll",a is a problem, When I try to get it out of my startup list, and next time I start up, it puts yet another version of tunemalul it in. So far I have all of these unchecked versions in startup as well. Something keeps installing them.

Rundll32.exe "c:\windows\system32\puzesale.dll",a
Rundll32.exe "c:\windows\system32\mifolole.dll",a
Rundll32.exe "c:\windows\system32\lutayesi.dll",a
Rundll32.exe "c:\windows\system32\migisibi.dll",a

I no longer have a Lexmark printer, so can probably get rid of that, but can you see anything else in there I should delete? Another program I should use?

Not sure what those O1 - Hosts: 209.66.123.174 lines are, I swear I don't have any porn sites up, or any porn on my machine even!!

Who are these idiots who create this crap?? Such a pain... Anyway, appreciate those of you who sacrifice your time to help us deal with it all.

Laure
--------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:47 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freehqmovies.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O1 - Hosts: 209.66.123.174 www.sexyrabbit.com
O1 - Hosts: 209.66.123.174 www.free6.com
O1 - Hosts: 209.66.123.174 www.thehun.net
O1 - Hosts: 209.66.123.174 www.thehun.com
O1 - Hosts: 209.66.123.174 www.sexocean.com
O1 - Hosts: 209.66.123.174 www.xnxx.com
O1 - Hosts: 209.66.123.174 www.easypic.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tunemalul] Rundll32.exe "c:\windows\system32\nehaleti.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O15 - Trusted Zone: *.texastech.edu
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebo...toUploader3.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebo...oUploader55.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.ad...Plus/1.6/gp.cab
O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\nehaleti.dll
O20 - Winlogon Notify: __c0037419 - C:\WINDOWS\
O20 - Winlogon Notify: __c009B5A1 - C:\WINDOWS\
O20 - Winlogon Notify: __c00C8471 - C:\WINDOWS\
O20 - Winlogon Notify: __c00E669A - C:\WINDOWS\
O21 - SSODL: bahumamig - {b46401f3-967f-4672-a29a-3fa4130c61d3} - c:\windows\system32\nehaleti.dll
O22 - SharedTaskScheduler: tokatiluy - {b46401f3-967f-4672-a29a-3fa4130c61d3} - c:\windows\system32\nehaleti.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6916 bytes
----------------------------------
11/02/09


Was finally able to dl Spybot Search & Destroy. It took two tries due to 'out of memory' message as it was stuck on Virtumonde (source of tunemalul), but it eventually eliminated the malware and trojans it found, except for win32...Agent.jg. Now I just need to get rid of that one, said it was running and couldn't delete it... Popups have stopped now tho. Here is my new Hijack This log, any ideas how to get rid of Agent.jg? twext.exe is a part of that file.

Also, I still see this entry in this log:

O1 - Hosts: 209.66.123.174 www.thehun.com

----------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:12 PM, on 11/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini:

UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,
O1 - Hosts: 209.66.123.174 www.thehun.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670}

- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection -

{53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} -

C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper -

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft

Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O15 - Trusted Zone: *.texastech.edu
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo

Uploader 5 Control) -

http://upload.facebo...ebookPhotoUploa

der5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

Scan Agent 6.6) -

http://housecall65.t...ative/x86/win32

/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader

Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -

http://upload.facebo...toUploader3.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo

Uploader 5 Control) -

http://upload.facebo...acebookPhotoUpl

oader55.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo

Uploader 4) -

http://upload.facebo...Uploader4_5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

http://platformdl.ad...Plus/1.6/gp.cab
O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\yezenefi.dll
O20 - Winlogon Notify: __c0037419 - C:\WINDOWS\
O20 - Winlogon Notify: __c009B5A1 - C:\WINDOWS\
O20 - Winlogon Notify: __c00C8471 - C:\WINDOWS\
O20 - Winlogon Notify: __c00E669A - C:\WINDOWS\
O21 - SSODL: zuhujaruh - {2e9b7a26-def9-4006-b878-b9da3659dbba} -

c:\windows\system32\yezenefi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus -

{2e9b7a26-def9-4006-b878-b9da3659dbba} -

c:\windows\system32\yezenefi.dll (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6921 bytes

Edited by LaureBelle, 02 November 2009 - 01:28 PM.


#2 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 03 November 2009 - 06:04 AM

Hi LaureBelle, and Welcome to SWI.

Why don't you have an antivirus installed??.. :hmmm:

Firstly,
Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Secondly,
Please install an antivirus application and perform a full system scan with it - post a log from that scan...
You may want to install one of the antivirus programs I recommend: link...

Tell me if the problem persists...
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 27 November 2009 - 06:05 PM

Due to the lack of feedback this Topic is closed.

Reopened

Everyone else please begin a New Topic.

Edited by cnm, 29 November 2009 - 08:50 PM.

Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 29 November 2009 - 08:49 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 LaureBelle

LaureBelle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 November 2009 - 09:46 PM

Reopened at request of topic owner.


Thanks for re-opening. I have McAfee on my laptop, but not on this old desktop. Installed, updated, scanned, and here are the results as requested.

------------------------------------------------------------------------------------------
11/29/2009 1:32:06 PM Engine version =5400.1158
11/29/2009 1:32:06 PM AntiVirus DAT version =5817.0000
11/29/2009 1:32:06 PM Number of detection signatures in EXTRA.DAT =None
11/29/2009 1:32:06 PM Names of detection signatures in EXTRA.DAT =None
11/29/2009 1:31:16 PM Scan Started YOUR-5OLNB28OAO\Laure Belle Full Scan
11/29/2009 1:39:27 PM Engine version =5400.1158
11/29/2009 1:39:27 PM AntiVirus DAT version =5817.0000
11/29/2009 1:39:27 PM Number of detection signatures in EXTRA.DAT =None
11/29/2009 1:39:27 PM Names of detection signatures in EXTRA.DAT =None
11/29/2009 1:40:22 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector.zip\sbRecovery.reg
11/29/2009 1:40:25 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector1.zip\bdesecureinstall.cab
11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector2.zip\bdesecureinstall.exe
11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOemsyspnp.zip\sbRecovery.reg
11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\FreeHQMovies.zip\sbRecovery.reg
11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\FreeHQMovies1.zip\sbRecovery.reg
11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search &

Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip\sbRecovery.reg
11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass.zip\sbRecovery.reg
11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass1.zip\sbRecovery.reg
11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr.zip\vmbvaqzt.job
11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr1.zip\amlleoux.job
11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip\yezenefi.dll
11/29/2009 1:40:28 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip\yarayebi.dll
11/29/2009 1:40:28 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll2.zip\bemadoko.dll
11/29/2009 1:40:28 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip\neweyoko.dll
11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll4.zip\kiwatoru.dll
11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip\tesirolo.dll
11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll6.zip\duvabova.dll
11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll7.zip\susiwoye.dll
11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx.zip\sbRecovery.reg
11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx1.zip\sbRecovery.reg
11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip\validuru
11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn1.zip\__c0020640.dat
11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgvu.zip\sbRecovery.reg
11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg.zip\user.ds.cla
11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg1.zip\sbRecovery.ini
11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg2.zip\sbRecovery.ini
11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg3.zip\sbRecovery.ini
11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg4.zip\user.ds.cla
11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg5.zip\sbRecovery.ini
11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg6.zip\sbRecovery.ini
11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg7.zip\sbRecovery.ini
11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz.zip\sbRecovery.reg
11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz1.zip\sbRecovery.reg
11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz2.zip\sbRecovery.reg
11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz3.zip\sbRecovery.reg
11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz4.zip\sbRecovery.reg
11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz5.zip\sbRecovery.reg
11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz6.zip\sbRecovery.reg
11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip\user.ds
11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip\user.ds
11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip\smp.bat
11/29/2009 1:52:59 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1969C1FE-2AEB-4C8A-BA6A-B880B7A03E30}

QHosts-1!hosts(Trojan)
11/29/2009 1:52:59 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{335395CB-BB62-4C6B-9DD3-874B0375E361}

QHosts-1!hosts(Trojan)
11/29/2009 1:53:00 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{749DE720-B6CD-4B14-A427-BFA4A79FF56A}

QHosts-1!hosts(Trojan)
11/29/2009 1:53:00 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AC7B0DC1-650E-48F3-9CB0-D3FD8EAA2973}

QHosts-1!hosts(Trojan)
11/29/2009 1:53:00 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F870EF75-4DDE-442D-A8E6-095C1512F60B}

QHosts-1!hosts(Trojan)
11/29/2009 1:55:20 PM Cleaned Laure Belle c:\Documents and Settings\Laure Belle\Mom

Backup\download\SULFNBK\SULFNBK.EXE W32/Magistr.a@MM(Virus)
11/29/2009 2:12:18 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\Laure

Belle\My Documents\My Downloads\zaSetup_80_298_000_en(2).exe\00001060.EXE\WINDOWS6.0-KB929547-V2-X64.MSU\WSUSSCAN.CAB
11/29/2009 2:16:11 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\Laure

Belle\My Documents\My Downloads\zaSetup_80_298_000_en.exe\00001060.EXE\WINDOWS6.0-KB929547-V2-X64.MSU\WSUSSCAN.CAB
11/29/2009 2:20:25 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\My Documents\Tim

Templates\autorun.inf Generic!atr(Trojan)
11/29/2009 2:20:29 PM Deleted Laure Belle C:\DOCUMENTS AND SETTINGS\Laure Belle\MY DOCUMENTS\TIM

TEMPLATES\SYSTEM.EXE W32/Autorun.worm!p(Virus)
11/29/2009 2:20:29 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\My Documents\Tim

Templates\system.exe W32/Autorun.worm!p(Virus)
11/29/2009 2:26:47 PM Not scanned (The file is encrypted) Laure Belle c:\Old System

Files\Battagleat\Utility\winzip80.exe\SETUP.WZ\WINZIP32.EX_
11/29/2009 2:27:00 PM Cleaned Laure Belle c:\Old System Files\download\SULFNBK.zip\SULFNBK.EXE

W32/Magistr.a@MM(Virus)
11/29/2009 2:27:06 PM Cleaned Laure Belle c:\Old System Files\download\SULFNBK\SULFNBK.EXE

W32/Magistr.a@MM(Virus)
11/29/2009 3:00:06 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1900\A0270052.dll Vundo.gen.cc(Trojan)
11/29/2009 3:00:09 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1900\A0270053.dll Vundo.gen.cc(Trojan)
11/29/2009 3:00:11 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1900\A0270054.dll Vundo.gen.cc(Trojan)
11/29/2009 3:00:15 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1901\A0271046.dll Vundo.gen.cc(Trojan)
11/29/2009 3:00:21 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1901\A0271047.DLL Vundo.gen.ca(Trojan)
11/29/2009 3:00:21 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1901\A0271047.dll Vundo.gen.ca(Trojan)
11/29/2009 3:02:38 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271367.dll Vundo.gen.w(Trojan)
11/29/2009 3:02:55 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271367.dll Vundo.gen.w(Trojan)
11/29/2009 3:03:13 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271367.DLL Vundo.gen.w(Trojan)
11/29/2009 3:03:13 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271367.dll Vundo.gen.w(Trojan)
11/29/2009 3:03:31 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271370.dll Vundo.gen.ab(Trojan)
11/29/2009 3:04:11 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271370.dll Vundo.gen.ab(Trojan)
11/29/2009 3:04:29 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271370.dll Vundo.gen.ab(Trojan)
11/29/2009 3:04:29 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271370.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:04:29 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271370.dll Vundo.gen.ab(Trojan)
11/29/2009 3:05:12 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271388.dll Vundo.gen.w(Trojan)
11/29/2009 3:05:29 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271388.dll Vundo.gen.w(Trojan)
11/29/2009 3:05:47 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271388.DLL Vundo.gen.w(Trojan)
11/29/2009 3:05:47 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271388.dll Vundo.gen.w(Trojan)
11/29/2009 3:06:04 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271389.dll Vundo.gen.cb(Trojan)
11/29/2009 3:06:05 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271389.DLL Vundo.gen.cb(Trojan)
11/29/2009 3:06:05 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271389.dll Vundo.gen.cb(Trojan)
11/29/2009 3:07:04 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271587.dll Vundo.gen.ab(Trojan)
11/29/2009 3:07:04 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271587.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:07:04 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271587.dll Vundo.gen.ab(Trojan)
11/29/2009 3:07:25 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271636.dll Vundo.gen.ab(Trojan)
11/29/2009 3:07:26 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271636.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:07:26 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271636.dll Vundo.gen.ab(Trojan)
11/29/2009 3:07:43 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271637.dll Vundo.gen.ab(Trojan)
11/29/2009 3:08:22 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271637.dll Vundo.gen.ab(Trojan)
11/29/2009 3:08:39 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271637.dll Vundo.gen.ab(Trojan)
11/29/2009 3:08:39 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271637.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:08:39 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271637.dll Vundo.gen.ab(Trojan)
11/29/2009 3:08:57 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271639.dll Vundo.gen.ab(Trojan)
11/29/2009 3:09:36 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271639.dll Vundo.gen.ab(Trojan)
11/29/2009 3:09:53 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271639.dll Vundo.gen.ab(Trojan)
11/29/2009 3:09:53 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271639.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:09:53 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271639.dll Vundo.gen.ab(Trojan)
11/29/2009 3:09:56 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271641.dll Vundo.gen.cc(Trojan)
11/29/2009 3:10:15 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271741.DLL Vundo.gen.ca(Trojan)
11/29/2009 3:10:15 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271741.dll Vundo.gen.ca(Trojan)
11/29/2009 3:10:32 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271742.dll Vundo.gen.ab(Trojan)
11/29/2009 3:11:12 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271742.dll Vundo.gen.ab(Trojan)
11/29/2009 3:11:30 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271742.dll Vundo.gen.ab(Trojan)
11/29/2009 3:11:30 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271742.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:11:30 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271742.dll Vundo.gen.ab(Trojan)
11/29/2009 3:11:55 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271783.dll Vundo.gen.ab(Trojan)
11/29/2009 3:12:36 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271783.dll Vundo.gen.ab(Trojan)
11/29/2009 3:12:54 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271783.dll Vundo.gen.ab(Trojan)
11/29/2009 3:12:55 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271783.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:12:55 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271783.dll Vundo.gen.ab(Trojan)
11/29/2009 3:13:13 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271784.dll Vundo.gen.cb(Trojan)
11/29/2009 3:13:13 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271784.DLL Vundo.gen.cb(Trojan)
11/29/2009 3:13:13 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271784.dll Vundo.gen.cb(Trojan)
11/29/2009 3:13:31 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271785.dll Vundo.gen.ab(Trojan)
11/29/2009 3:14:12 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271785.dll Vundo.gen.ab(Trojan)
11/29/2009 3:14:29 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271785.dll Vundo.gen.ab(Trojan)
11/29/2009 3:14:29 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271785.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:14:30 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271785.dll Vundo.gen.ab(Trojan)
11/29/2009 3:14:47 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271786.dll Vundo.gen.cb(Trojan)
11/29/2009 3:14:47 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271786.DLL Vundo.gen.cb(Trojan)
11/29/2009 3:14:48 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271786.dll Vundo.gen.cb(Trojan)
11/29/2009 3:15:28 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271787.dll Vundo.gen.w(Trojan)
11/29/2009 3:15:45 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271787.dll Vundo.gen.w(Trojan)
11/29/2009 3:16:02 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271787.DLL Vundo.gen.w(Trojan)
11/29/2009 3:16:02 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271787.dll Vundo.gen.w(Trojan)
11/29/2009 3:16:19 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271788.dll Vundo.gen.ab(Trojan)
11/29/2009 3:16:58 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271788.dll Vundo.gen.ab(Trojan)
11/29/2009 3:17:15 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271788.dll Vundo.gen.ab(Trojan)
11/29/2009 3:17:16 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271788.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:17:16 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271788.dll Vundo.gen.ab(Trojan)
11/29/2009 3:17:32 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271789.dll Vundo.gen.ab(Trojan)
11/29/2009 3:18:11 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271789.dll Vundo.gen.ab(Trojan)
11/29/2009 3:18:28 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271789.dll Vundo.gen.ab(Trojan)
11/29/2009 3:18:29 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271789.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:18:29 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271789.dll Vundo.gen.ab(Trojan)
11/29/2009 3:18:46 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271790.dll Vundo.gen.ab(Trojan)
11/29/2009 3:19:26 PM Deleted Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271790.dll Vundo.gen.ab(Trojan)
11/29/2009 3:19:43 PM Cleaned Laure Belle c:\system volume

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271790.dll Vundo.gen.ab(Trojan)
11/29/2009 3:19:43 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271790.DLL Vundo.gen.ab(Trojan)
11/29/2009 3:19:43 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271790.dll Vundo.gen.ab(Trojan)
11/29/2009 3:19:50 PM Deleted Laure Belle C:\SYSTEM VOLUME

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1908\A0271828.EXE PWS-Zbot.gen.c(Trojan)
11/29/2009 3:19:50 PM Deleted Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1908\A0271828.exe PWS-Zbot.gen.c(Trojan)
11/29/2009 3:20:55 PM Cleaned Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1920\A0274102.EXE W32/Magistr.a@MM(Virus)
11/29/2009 3:20:56 PM Cleaned Laure Belle c:\System Volume

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1920\A0274103.EXE W32/Magistr.a@MM(Virus)
11/29/2009 4:25:40 PM Deleted Laure Belle

c:\WINDOWS\system32\drivers\etc\hosts.20091101-165110.backup QHosts-1!hosts(Trojan)
11/29/2009 4:25:41 PM Deleted Laure Belle

c:\WINDOWS\system32\drivers\etc\hosts.20091101-184701.backup QHosts-1!hosts(Trojan)
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Scan Summary
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Processes scanned : 811
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Processes detected : 0
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Processes cleaned : 0
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Boot sectors scanned : 2
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Boot sectors detected: 0
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Boot sectors cleaned : 0
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files scanned : 65360
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files with detections: 39
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle File detections : 98
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files cleaned : 5
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files deleted : 34
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files not scanned : 68
11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Run time : 2:56:21
11/29/2009 4:27:37 PM Scan Complete YOUR-5OLNB28OAO\Laure Belle Full Scan

#6 LaureBelle

LaureBelle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 November 2009 - 09:48 PM

I was finally able to download and run MalwareBytes and it detected nothing. Here is my latest Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:12 PM, on 11/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 209.66.123.174 www.thehun.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

/runcleanupscript
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft

Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O15 - Trusted Zone: *.texastech.edu
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebo...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

http://lads.myspace....ploader1006.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebo...toUploader3.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -

http://upload.facebo...oUploader55.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) -

http://upload.facebo...Uploader4_5.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

http://platformdl.ad...Plus/1.6/gp.cab
O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\yezenefi.dll
O21 - SSODL: zuhujaruh - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (file

missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common

Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan

Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7735 bytes
-----------------------------------------------------------

Anything in this list I can get rid of? I plan to do away with the following because I don't know what they are, and I no longer have a Lexmark Printer:

O1 - Hosts: 209.66.123.174 www.thehun.com
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


I have no more popups at this point, just trying to get rid of as much garbage as I can. Thanks again for your help, hope this info helps someone else too.

Laure

#7 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 30 November 2009 - 02:29 PM

Hi LaureBelle!!.. :).

I plan to do away with the following because I don't know what they are, and I no longer have a Lexmark Printer:

O1 - Hosts: 209.66.123.174 www.thehun.com
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

The first one "tells" your system (or rather a web browser) where to go when you type www.thehun.com into the address bar... The second one "tells" your system to set that page as a start page when you reset IE settings to default... These are not malware related entries but can be safely removed...

Please do the following:
Firstly, disable those two antispyware programs as they may hinder the removal of some entries: Windows Defender and SpybotSD's TeaTimer... Use instructions from this site: link

Secondly,
Please run a scan in HijackThis and check the following items:

O1 - Hosts: 209.66.123.174 www.thehun.com
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\yezenefi.dll
O21 - SSODL: zuhujaruh - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (filemissing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


Then, close all open windows, except HijackThis and click: Fix checked.

Also, Go to Start --> Run and type the following command in the field: (or copy and paste it)

sc delete LexBceS
Click OK

Then, you may re-enable one of the antispyware programs - I don't recommend running more than one antispyware program's real time protection at once, because they can conflict with each other.

Thirdly,
You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):
http://www.adobe.com.../readstep2.html


Finally, I need to gather more information about your system to make sure everything is fine... Perform those 2 quick scans for me, please:
-DDS:
  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed.
    There shouldn't be any scheduled antivirus scans running while the scan is being performed.
    Do not use your computer for anything else during the scan.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click Yes to the Optional_Scan
  • >>Post the contents of both DDS.txt and Attach.txt into the thread.<<
  • Close the program window, and delete the program from your Desktop.

- Please close all antivirus and antimalware programs so they do not interfere with the running of RootRepeal.
  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab (1) and click on the Scan button (2).

    Posted Image
  • Select ALL of the checkboxes (3) and then click OK and it will start scanning your system.
    Posted Image
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report (4).
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 LaureBelle

LaureBelle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 December 2009 - 01:54 PM

Ok, done, and done. :-)


DDS (Ver_09-12-01.01) - NTFSx86
Run by Laure Belle at 12:28:21.82 on Tue 12/15/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -6:00]

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Laurie Smerud\My Documents\My Downloads\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uCustomizeSearch = hxxp://ie.search.msn.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
mRun: [IntelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program

files\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft

money\system\mnyviewer.dll
Trusted Zone: texastech.edu
Trusted Zone: texastech.edu\cognos
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} -

hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Notification Packages = scecli tesirolo.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laurie~1\applic~1\mozilla\firefox\profiles\gaa6p40y.default\
FF - prefs.js: browser.startup.homepage -

hxxp://m.www.yahoo.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-29 353672]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-11-29 104000]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-11-29

24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-11-29 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-11-29 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-11-29 170408]
S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-11-30 05:35:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint
2009-11-30 05:35:12 0 d-----w- c:\program files\Viewpoint
2009-11-30 05:35:09 0 d-----w- c:\docume~1\alluse~1\applic~1\acccore
2009-11-30 05:33:40 0 d-----w- c:\program files\common files\AOL
2009-11-30 05:33:07 0 d-----w- c:\program files\AIM6
2009-11-30 05:32:58 367 ---ha-w- C:\IPH.PH
2009-11-30 04:42:49 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-11-30 04:42:48 0 d-----w- c:\windows\system32\ZoneLabs
2009-11-30 04:42:45 350192 ----a-w- c:\windows\system32\vsconfig.xml
2009-11-30 03:04:25 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-29 19:52:58 0 d-----w- C:\QUARANTINE
2009-11-29 19:21:28 280 ----a-w- c:\windows\system32\epoPGPsdk.dll.sig
2009-11-29 19:21:28 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll
2009-11-29 19:21:28 0 d-----w- c:\program files\common files\Cisco Systems
2009-11-29 19:20:56 34152 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-11-29 19:20:55 64360 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2009-11-29 19:20:54 72264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-11-29 19:20:53 52136 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-11-29 19:20:52 170408 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-11-29 19:20:12 0 d-----w- c:\program files\McAfee
2009-11-29 19:20:12 0 d-----w- c:\program files\common files\McAfee
2009-11-22 19:05:57 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2009-11-30 04:43:20 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-01 15:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe
2004-09-19 18:01:36 1507 ----a-w- c:\program files\Notepad.lnk
2003-08-27 20:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2008-08-04 03:56:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008080320080804\index.dat

============= FINISH: 12:29:08.84 ===============

Edited to remove duplicate info.

Edited by LaureBelle, 15 December 2009 - 07:58 PM.


#9 LaureBelle

LaureBelle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 December 2009 - 01:56 PM

DDS Attach

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/30/2001 4:05:56 PM
System Uptime: 12/15/2009 12:20:03 PM (0 hours ago)

Motherboard: First International Computer, Inc. | | VC31
Processor: Intel® Pentium® 4 CPU 1500MHz | Socket 478 |

1495/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 21.712 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1887: 9/20/2009 9:23:08 PM - Software Distribution Service 3.0
RP1888: 9/26/2009 10:08:26 AM - Software Distribution Service 3.0
RP1889: 9/27/2009 10:09:11 AM - System Checkpoint
RP1890: 10/5/2009 11:34:44 PM - Software Distribution Service 3.0
RP1891: 10/6/2009 11:35:39 PM - System Checkpoint
RP1892: 10/11/2009 2:00:20 PM - Software Distribution Service 3.0
RP1893: 10/15/2009 11:00:40 PM - Software Distribution Service 3.0
RP1894: 10/16/2009 6:21:56 PM - Software Distribution Service 3.0
RP1895: 10/17/2009 6:55:58 PM - System Checkpoint
RP1896: 10/19/2009 8:25:44 AM - System Checkpoint
RP1897: 10/20/2009 10:08:12 PM - Software Distribution Service 3.0
RP1898: 10/22/2009 12:31:49 AM - System Checkpoint
RP1899: 10/24/2009 11:58:15 AM - Software Distribution Service 3.0
RP1900: 10/25/2009 12:25:17 PM - System Checkpoint
RP1901: 10/26/2009 1:09:59 PM - System Checkpoint
RP1902: 10/27/2009 1:59:14 PM - System Checkpoint
RP1903: 10/27/2009 2:19:13 PM - Revo Uninstaller's restore point -

ZoneAlarm
RP1904: 10/27/2009 3:10:11 PM - Revo Uninstaller's restore point -

ZoneAlarm
RP1905: 10/27/2009 3:12:30 PM - Revo Uninstaller's restore point -

ZoneAlarm
RP1906: 10/31/2009 4:42:28 PM - Restore Operation
RP1907: 10/31/2009 4:52:25 PM - Revo Uninstaller's restore point -

ZoneAlarm
RP1908: 11/1/2009 11:13:30 PM - System Checkpoint
RP1909: 11/2/2009 1:14:46 PM - Revo Uninstaller's restore point - ZoneAlarm
RP1910: 11/12/2009 3:22:17 AM - System Checkpoint
RP1911: 11/13/2009 11:42:40 PM - System Checkpoint
RP1912: 11/14/2009 11:51:32 PM - System Checkpoint
RP1913: 11/16/2009 6:57:28 AM - System Checkpoint
RP1914: 11/21/2009 9:04:26 AM - System Checkpoint
RP1915: 11/22/2009 9:52:27 AM - System Checkpoint
RP1916: 11/22/2009 1:10:30 PM - Software Distribution Service 3.0
RP1917: 11/22/2009 1:43:13 PM - Software Distribution Service 3.0
RP1918: 11/28/2009 7:17:08 PM - System Checkpoint
RP1919: 11/29/2009 3:00:25 AM - Software Distribution Service 3.0
RP1920: 11/29/2009 1:20:28 PM - Installed McAfee VirusScan Enterprise
RP1921: 11/29/2009 9:03:27 PM - Installed Java™ 6 Update 16
RP1922: 11/29/2009 9:07:46 PM - Installed Java™ 6 Update 17
RP1923: 11/30/2009 9:53:36 PM - System Checkpoint
RP1924: 12/1/2009 10:17:01 PM - System Checkpoint
RP1925: 12/6/2009 1:11:44 PM - System Checkpoint
RP1926: 12/8/2009 8:53:00 AM - System Checkpoint
RP1927: 12/9/2009 8:38:28 PM - System Checkpoint
RP1928: 12/10/2009 1:40:42 AM - Software Distribution Service 3.0
RP1929: 12/11/2009 8:02:20 PM - System Checkpoint
RP1930: 12/12/2009 8:10:55 PM - System Checkpoint
RP1931: 12/14/2009 12:14:44 AM - System Checkpoint
RP1932: 12/15/2009 1:51:24 AM - System Checkpoint
RP1933: 12/15/2009 11:37:47 AM - Revo Uninstaller's restore point - Adobe

Reader 7.0
RP1934: 12/15/2009 11:39:01 AM - Removed Adobe Reader 7.0

==== Installed Programs ======================

ACDSee
Adobe Acrobat 5.0
Adobe Download Manager
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
AIM 6
AiO_Scan_CDA
AiOSoftwareNPI
AOL Instant Messenger
AusLogics Registry Defrag
BufferChm
C3100
c3100_Help
CCleaner
Compatibility Pack for the 2007 Office system
CustomerResearchQFolder
Cypress USB Mass Storage Driver Installation
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Fax_CDA
Free Window Registry Repair
Glary Registry Repair 3.0
Google Earth
Halsoft Battleship
Halsoft Checkers
Halsoft Virtual Places Chat
Halsoft VP Chat Tri-Hook
Halsoft Yahtzee
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP PrecisionScan LTX
HP Share-to-Web
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevicesMFC
Java™ 6 Update 17
LimeWire 4.18.8
Malwarebytes' Anti-Malware
MarketResearch
McAfee VirusScan Enterprise
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6.0
Mozilla Firefox (3.5.5)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NewCopy_CDA
OCR Software by I.R.I.S 7.0
Paint Shop Pro 5.0
PanoStandAlone
PowerDVD
ProductContextNPI
QuickTime
Readme
RealPlayer Basic
Revo Uninstaller 1.83
SBC Yahoo! DSL Activation
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Shockwave
SolutionCenter
Spybot - Search & Destroy
Status
Toolbox
Total Recorder 5.2
TrayApp
Uninstall Startup Inspector
Unload
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB Storage Adapter FX (SM1)
VC 9.0 Runtime
Viewpoint Media Player
WebFldrs XP
WebReg
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 10
Windows XP Service Pack 3
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
ZoneAlarm

==== Event Viewer Messages From Past Week ========

12/9/2009 6:00:46 PM, error: Service Control Manager [7009] - Timeout

(30000 milliseconds) waiting for the Application Layer Gateway Service

service to connect.
12/9/2009 6:00:46 PM, error: Service Control Manager [7000] - The

Application Layer Gateway Service service failed to start due to the

following error: The service did not respond to the start or control

request in a timely fashion.
12/15/2009 11:44:36 AM, error: Service Control Manager [7003] - The Print

Spooler service depends on the following nonexistent service: LexBceS
12/11/2009 7:08:37 PM, error: Service Control Manager [7009] - Timeout

(30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service

to connect.
12/11/2009 7:08:37 PM, error: Service Control Manager [7000] - The IMAPI

CD-Burning COM Service service failed to start due to the following error:

The service did not respond to the start or control request in a timely

fashion.

==== End Of File ===========================

Edited to remove duplicate info.

Edited by LaureBelle, 15 December 2009 - 07:57 PM.


#10 LaureBelle

LaureBelle

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 15 December 2009 - 01:57 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/15 12:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5D6B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BED000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF2C9D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF74C1000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\perflib_perfdata_d8.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e89fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e86c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea1170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e8a580

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e8a670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e87210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea19f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea17a0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea1f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea1f90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e87070

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea26f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea2150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e89be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea2540

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e87440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea14e0

==EOF==

#11 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 16 December 2009 - 03:53 PM

Hi again LaureBelle!!.. :).

Logs look clean to me...

Go to Start > Control Panel double-click on Add or Remove Programs and uninstall the following:
Adobe Acrobat 5.0 - this is a very old version of Adobe Acrobat Reader (with security vulnerabilities)...
Afterwards, download an install a new version from here: http://www.adobe.com.../readstep2.html

One optional program to remove (just decide if you want to keep it...):

Viewpoint Media Player
Viewpoint Manager is considered as foistware instead of malware. It is installed on your computer without your permission. It is known to be intrusive and there is also some possibility that it is now being used by various companies to give them info about your habits.

I suggest you remove the program now.


Copy and paste this text IN BOLD into a text editor such as Notepad.

Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00


Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Then, you may delete DDS application (and its logs) and RootRepeal's files from your Desktop...

Finally,
Please, set up a new System Restore point:

Turn off System Restore

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

The to turn it back on
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. :thumbup:

Also, I recommend you to read Tony Klein's excellent article: How I got Infected in the First Place?

:wave:
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 snemelk

snemelk

    inżynier

  • Expert
  • PipPipPipPipPip
  • 3,098 posts

Posted 03 January 2010 - 01:09 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image

snemelk.hekko.pl - - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button