• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
LaureBelle

More Popups...

12 posts in this topic

Hi, like most I'm having a popup problem, slowness in everything I do. I am unable to download some of the programs suggested to check for malware/virus, the downloads just churn and nothing comes through. I was able to download Hijack This (probably because it's so small), so I can post that log.

 

As soon as I bring up a browser, everything slows to a crawl, suddenly a big browser (with no url) opens up offering 'google work from home for $$$' ads, some are large audio/video which start playing, and the only way I can close them is ctrl/alt/del and shut them down. Today while I was on HIjack This page, another browser (about blank) opened and empty browser tabs started replicating exponentially!

 

I have the feeling that 04 - HKLM\..\Run: [tunemalul] Rundll32.exe "c:\windows\system32\nehaleti.dll",a is a problem, When I try to get it out of my startup list, and next time I start up, it puts yet another version of tunemalul it in. So far I have all of these unchecked versions in startup as well. Something keeps installing them.

 

Rundll32.exe "c:\windows\system32\puzesale.dll",a

Rundll32.exe "c:\windows\system32\mifolole.dll",a

Rundll32.exe "c:\windows\system32\lutayesi.dll",a

Rundll32.exe "c:\windows\system32\migisibi.dll",a

 

I no longer have a Lexmark printer, so can probably get rid of that, but can you see anything else in there I should delete? Another program I should use?

 

Not sure what those O1 - Hosts: 209.66.123.174 lines are, I swear I don't have any porn sites up, or any porn on my machine even!!

 

Who are these idiots who create this crap?? Such a pain... Anyway, appreciate those of you who sacrifice your time to help us deal with it all.

 

Laure

--------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:51:47 PM, on 11/1/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://freehqmovies.com/search/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,

O1 - Hosts: 209.66.123.174 www.sexyrabbit.com

O1 - Hosts: 209.66.123.174 www.free6.com

O1 - Hosts: 209.66.123.174 www.thehun.net

O1 - Hosts: 209.66.123.174 www.thehun.com

O1 - Hosts: 209.66.123.174 www.sexocean.com

O1 - Hosts: 209.66.123.174 www.xnxx.com

O1 - Hosts: 209.66.123.174 www.easypic.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [tunemalul] Rundll32.exe "c:\windows\system32\nehaleti.dll",a

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O15 - Trusted Zone: *.texastech.edu

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab'>http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab'>http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab'>http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\nehaleti.dll

O20 - Winlogon Notify: __c0037419 - C:\WINDOWS\

O20 - Winlogon Notify: __c009B5A1 - C:\WINDOWS\

O20 - Winlogon Notify: __c00C8471 - C:\WINDOWS\

O20 - Winlogon Notify: __c00E669A - C:\WINDOWS\

O21 - SSODL: bahumamig - {b46401f3-967f-4672-a29a-3fa4130c61d3} - c:\windows\system32\nehaleti.dll

O22 - SharedTaskScheduler: tokatiluy - {b46401f3-967f-4672-a29a-3fa4130c61d3} - c:\windows\system32\nehaleti.dll

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 6916 bytes

----------------------------------

11/02/09

 

 

Was finally able to dl Spybot Search & Destroy. It took two tries due to 'out of memory' message as it was stuck on Virtumonde (source of tunemalul), but it eventually eliminated the malware and trojans it found, except for win32...Agent.jg. Now I just need to get rid of that one, said it was running and couldn't delete it... Popups have stopped now tho. Here is my new Hijack This log, any ideas how to get rid of Agent.jg? twext.exe is a part of that file.

 

Also, I still see this entry in this log:

 

O1 - Hosts: 209.66.123.174 www.thehun.com

 

----------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:22:12 PM, on 11/2/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar -

 

{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

 

Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini:

 

UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,

O1 - Hosts: 209.66.123.174 www.thehun.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670}

 

- C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

 

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection -

 

{53707962-6F74-2D53-2644-206D7942484F} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -

 

C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} -

 

C:\Program Files\Yahoo!\common\YIeTagBm.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper -

 

{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common

 

Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

 

C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

 

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft

 

Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

 

Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program

 

Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search &

 

Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting]

 

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]

 

"C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program

 

Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel -

 

res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program

 

Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program

 

Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program

 

Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services -

 

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

 

Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

 

C:\Program Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

 

C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

 

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

 

C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

 

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

 

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

 

C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger -

 

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet

 

Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O15 - Trusted Zone: *.texastech.edu

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo

 

Uploader 5 Control) -

 

http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploa

 

der5.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX

 

Scan Agent 6.6) -

 

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32

 

/activex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

 

C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader

 

Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} -

 

http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo

 

Uploader 5 Control) -

 

http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUpl

 

oader55.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo

 

Uploader 4) -

 

http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

 

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\yezenefi.dll

O20 - Winlogon Notify: __c0037419 - C:\WINDOWS\

O20 - Winlogon Notify: __c009B5A1 - C:\WINDOWS\

O20 - Winlogon Notify: __c00C8471 - C:\WINDOWS\

O20 - Winlogon Notify: __c00E669A - C:\WINDOWS\

O21 - SSODL: zuhujaruh - {2e9b7a26-def9-4006-b878-b9da3659dbba} -

 

c:\windows\system32\yezenefi.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus -

 

{2e9b7a26-def9-4006-b878-b9da3659dbba} -

 

c:\windows\system32\yezenefi.dll (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

 

C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 6921 bytes

Edited by LaureBelle

Share this post


Link to post
Share on other sites

Hi LaureBelle, and Welcome to SWI.

 

Why don't you have an antivirus installed??.. :hmmm:

 

Firstly,

Please download Malwarebytes' Anti-Malware from Here

 

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

 

Secondly,

Please install an antivirus application and perform a full system scan with it - post a log from that scan...

You may want to install one of the antivirus programs I recommend: link...

 

Tell me if the problem persists...

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

Reopened

 

Everyone else please begin a New Topic.

Edited by cnm

Share this post


Link to post
Share on other sites

Reopened at request of topic owner.

 

Thanks for re-opening. I have McAfee on my laptop, but not on this old desktop. Installed, updated, scanned, and here are the results as requested.

 

------------------------------------------------------------------------------------------

11/29/2009 1:32:06 PM Engine version =5400.1158

11/29/2009 1:32:06 PM AntiVirus DAT version =5817.0000

11/29/2009 1:32:06 PM Number of detection signatures in EXTRA.DAT =None

11/29/2009 1:32:06 PM Names of detection signatures in EXTRA.DAT =None

11/29/2009 1:31:16 PM Scan Started YOUR-5OLNB28OAO\Laure Belle Full Scan

11/29/2009 1:39:27 PM Engine version =5400.1158

11/29/2009 1:39:27 PM AntiVirus DAT version =5817.0000

11/29/2009 1:39:27 PM Number of detection signatures in EXTRA.DAT =None

11/29/2009 1:39:27 PM Names of detection signatures in EXTRA.DAT =None

11/29/2009 1:40:22 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector.zip\sbRecovery.reg

11/29/2009 1:40:25 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector1.zip\bdesecureinstall.cab

11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\BDEProjector2.zip\bdesecureinstall.exe

11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchOemsyspnp.zip\sbRecovery.reg

11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\FreeHQMovies.zip\sbRecovery.reg

11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\FreeHQMovies1.zip\sbRecovery.reg

11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search &

 

Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip\sbRecovery.reg

11/29/2009 1:40:26 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass.zip\sbRecovery.reg

11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass1.zip\sbRecovery.reg

11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr.zip\vmbvaqzt.job

11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeatr1.zip\amlleoux.job

11/29/2009 1:40:27 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll.zip\yezenefi.dll

11/29/2009 1:40:28 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll1.zip\yarayebi.dll

11/29/2009 1:40:28 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll2.zip\bemadoko.dll

11/29/2009 1:40:28 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll3.zip\neweyoko.dll

11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll4.zip\kiwatoru.dll

11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll5.zip\tesirolo.dll

11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll6.zip\duvabova.dll

11/29/2009 1:40:29 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\VirtumondeDll7.zip\susiwoye.dll

11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx.zip\sbRecovery.reg

11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeprx1.zip\sbRecovery.reg

11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip\validuru

11/29/2009 1:40:30 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn1.zip\__c0020640.dat

11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentgvu.zip\sbRecovery.reg

11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg.zip\user.ds.cla

11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg1.zip\sbRecovery.ini

11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg2.zip\sbRecovery.ini

11/29/2009 1:40:31 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg3.zip\sbRecovery.ini

11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg4.zip\user.ds.cla

11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg5.zip\sbRecovery.ini

11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg6.zip\sbRecovery.ini

11/29/2009 1:40:32 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentjg7.zip\sbRecovery.ini

11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz.zip\sbRecovery.reg

11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz1.zip\sbRecovery.reg

11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz2.zip\sbRecovery.reg

11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz3.zip\sbRecovery.reg

11/29/2009 1:40:33 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz4.zip\sbRecovery.reg

11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz5.zip\sbRecovery.reg

11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentpz6.zip\sbRecovery.reg

11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk.zip\user.ds

11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\WinTDSSrtk1.zip\user.ds

11/29/2009 1:40:34 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\All

 

Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip\smp.bat

11/29/2009 1:52:59 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

 

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1969C1FE-2AEB-4C8A-BA6A-B880B7A03E30}

 

QHosts-1!hosts(Trojan)

11/29/2009 1:52:59 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

 

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{335395CB-BB62-4C6B-9DD3-874B0375E361}

 

QHosts-1!hosts(Trojan)

11/29/2009 1:53:00 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

 

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{749DE720-B6CD-4B14-A427-BFA4A79FF56A}

 

QHosts-1!hosts(Trojan)

11/29/2009 1:53:00 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

 

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{AC7B0DC1-650E-48F3-9CB0-D3FD8EAA2973}

 

QHosts-1!hosts(Trojan)

11/29/2009 1:53:00 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\Local

 

Settings\Application Data\Microsoft\Windows Defender\FileTracker\{F870EF75-4DDE-442D-A8E6-095C1512F60B}

 

QHosts-1!hosts(Trojan)

11/29/2009 1:55:20 PM Cleaned Laure Belle c:\Documents and Settings\Laure Belle\Mom

 

Backup\download\SULFNBK\SULFNBK.EXE W32/Magistr.a@MM(Virus)

11/29/2009 2:12:18 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\Laure

 

Belle\My Documents\My Downloads\zaSetup_80_298_000_en(2).exe\00001060.EXE\WINDOWS6.0-KB929547-V2-X64.MSU\WSUSSCAN.CAB

11/29/2009 2:16:11 PM Not scanned (The file is encrypted) Laure Belle c:\Documents and Settings\Laure

 

Belle\My Documents\My Downloads\zaSetup_80_298_000_en.exe\00001060.EXE\WINDOWS6.0-KB929547-V2-X64.MSU\WSUSSCAN.CAB

11/29/2009 2:20:25 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\My Documents\Tim

 

Templates\autorun.inf Generic!atr(Trojan)

11/29/2009 2:20:29 PM Deleted Laure Belle C:\DOCUMENTS AND SETTINGS\Laure Belle\MY DOCUMENTS\TIM

 

TEMPLATES\SYSTEM.EXE W32/Autorun.worm!p(Virus)

11/29/2009 2:20:29 PM Deleted Laure Belle c:\Documents and Settings\Laure Belle\My Documents\Tim

 

Templates\system.exe W32/Autorun.worm!p(Virus)

11/29/2009 2:26:47 PM Not scanned (The file is encrypted) Laure Belle c:\Old System

 

Files\Battagleat\Utility\winzip80.exe\SETUP.WZ\WINZIP32.EX_

11/29/2009 2:27:00 PM Cleaned Laure Belle c:\Old System Files\download\SULFNBK.zip\SULFNBK.EXE

 

W32/Magistr.a@MM(Virus)

11/29/2009 2:27:06 PM Cleaned Laure Belle c:\Old System Files\download\SULFNBK\SULFNBK.EXE

 

W32/Magistr.a@MM(Virus)

11/29/2009 3:00:06 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1900\A0270052.dll Vundo.gen.cc(Trojan)

11/29/2009 3:00:09 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1900\A0270053.dll Vundo.gen.cc(Trojan)

11/29/2009 3:00:11 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1900\A0270054.dll Vundo.gen.cc(Trojan)

11/29/2009 3:00:15 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1901\A0271046.dll Vundo.gen.cc(Trojan)

11/29/2009 3:00:21 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1901\A0271047.DLL Vundo.gen.ca(Trojan)

11/29/2009 3:00:21 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1901\A0271047.dll Vundo.gen.ca(Trojan)

11/29/2009 3:02:38 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271367.dll Vundo.gen.w(Trojan)

11/29/2009 3:02:55 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271367.dll Vundo.gen.w(Trojan)

11/29/2009 3:03:13 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271367.DLL Vundo.gen.w(Trojan)

11/29/2009 3:03:13 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271367.dll Vundo.gen.w(Trojan)

11/29/2009 3:03:31 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271370.dll Vundo.gen.ab(Trojan)

11/29/2009 3:04:11 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271370.dll Vundo.gen.ab(Trojan)

11/29/2009 3:04:29 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1905\a0271370.dll Vundo.gen.ab(Trojan)

11/29/2009 3:04:29 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271370.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:04:29 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1905\A0271370.dll Vundo.gen.ab(Trojan)

11/29/2009 3:05:12 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271388.dll Vundo.gen.w(Trojan)

11/29/2009 3:05:29 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271388.dll Vundo.gen.w(Trojan)

11/29/2009 3:05:47 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271388.DLL Vundo.gen.w(Trojan)

11/29/2009 3:05:47 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271388.dll Vundo.gen.w(Trojan)

11/29/2009 3:06:04 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271389.dll Vundo.gen.cb(Trojan)

11/29/2009 3:06:05 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271389.DLL Vundo.gen.cb(Trojan)

11/29/2009 3:06:05 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271389.dll Vundo.gen.cb(Trojan)

11/29/2009 3:07:04 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271587.dll Vundo.gen.ab(Trojan)

11/29/2009 3:07:04 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271587.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:07:04 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271587.dll Vundo.gen.ab(Trojan)

11/29/2009 3:07:25 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271636.dll Vundo.gen.ab(Trojan)

11/29/2009 3:07:26 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271636.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:07:26 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271636.dll Vundo.gen.ab(Trojan)

11/29/2009 3:07:43 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271637.dll Vundo.gen.ab(Trojan)

11/29/2009 3:08:22 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271637.dll Vundo.gen.ab(Trojan)

11/29/2009 3:08:39 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271637.dll Vundo.gen.ab(Trojan)

11/29/2009 3:08:39 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271637.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:08:39 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271637.dll Vundo.gen.ab(Trojan)

11/29/2009 3:08:57 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271639.dll Vundo.gen.ab(Trojan)

11/29/2009 3:09:36 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271639.dll Vundo.gen.ab(Trojan)

11/29/2009 3:09:53 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1906\a0271639.dll Vundo.gen.ab(Trojan)

11/29/2009 3:09:53 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271639.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:09:53 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271639.dll Vundo.gen.ab(Trojan)

11/29/2009 3:09:56 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1906\A0271641.dll Vundo.gen.cc(Trojan)

11/29/2009 3:10:15 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271741.DLL Vundo.gen.ca(Trojan)

11/29/2009 3:10:15 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271741.dll Vundo.gen.ca(Trojan)

11/29/2009 3:10:32 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271742.dll Vundo.gen.ab(Trojan)

11/29/2009 3:11:12 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271742.dll Vundo.gen.ab(Trojan)

11/29/2009 3:11:30 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271742.dll Vundo.gen.ab(Trojan)

11/29/2009 3:11:30 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271742.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:11:30 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271742.dll Vundo.gen.ab(Trojan)

11/29/2009 3:11:55 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271783.dll Vundo.gen.ab(Trojan)

11/29/2009 3:12:36 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271783.dll Vundo.gen.ab(Trojan)

11/29/2009 3:12:54 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271783.dll Vundo.gen.ab(Trojan)

11/29/2009 3:12:55 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271783.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:12:55 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271783.dll Vundo.gen.ab(Trojan)

11/29/2009 3:13:13 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271784.dll Vundo.gen.cb(Trojan)

11/29/2009 3:13:13 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271784.DLL Vundo.gen.cb(Trojan)

11/29/2009 3:13:13 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271784.dll Vundo.gen.cb(Trojan)

11/29/2009 3:13:31 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271785.dll Vundo.gen.ab(Trojan)

11/29/2009 3:14:12 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271785.dll Vundo.gen.ab(Trojan)

11/29/2009 3:14:29 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271785.dll Vundo.gen.ab(Trojan)

11/29/2009 3:14:29 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271785.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:14:30 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271785.dll Vundo.gen.ab(Trojan)

11/29/2009 3:14:47 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271786.dll Vundo.gen.cb(Trojan)

11/29/2009 3:14:47 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271786.DLL Vundo.gen.cb(Trojan)

11/29/2009 3:14:48 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271786.dll Vundo.gen.cb(Trojan)

11/29/2009 3:15:28 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271787.dll Vundo.gen.w(Trojan)

11/29/2009 3:15:45 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271787.dll Vundo.gen.w(Trojan)

11/29/2009 3:16:02 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271787.DLL Vundo.gen.w(Trojan)

11/29/2009 3:16:02 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271787.dll Vundo.gen.w(Trojan)

11/29/2009 3:16:19 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271788.dll Vundo.gen.ab(Trojan)

11/29/2009 3:16:58 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271788.dll Vundo.gen.ab(Trojan)

11/29/2009 3:17:15 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271788.dll Vundo.gen.ab(Trojan)

11/29/2009 3:17:16 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271788.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:17:16 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271788.dll Vundo.gen.ab(Trojan)

11/29/2009 3:17:32 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271789.dll Vundo.gen.ab(Trojan)

11/29/2009 3:18:11 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271789.dll Vundo.gen.ab(Trojan)

11/29/2009 3:18:28 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271789.dll Vundo.gen.ab(Trojan)

11/29/2009 3:18:29 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271789.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:18:29 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271789.dll Vundo.gen.ab(Trojan)

11/29/2009 3:18:46 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271790.dll Vundo.gen.ab(Trojan)

11/29/2009 3:19:26 PM Deleted Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271790.dll Vundo.gen.ab(Trojan)

11/29/2009 3:19:43 PM Cleaned Laure Belle c:\system volume

 

information\_restore{8a913475-0b20-49db-ae53-09acefd9d385}\rp1907\a0271790.dll Vundo.gen.ab(Trojan)

11/29/2009 3:19:43 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271790.DLL Vundo.gen.ab(Trojan)

11/29/2009 3:19:43 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1907\A0271790.dll Vundo.gen.ab(Trojan)

11/29/2009 3:19:50 PM Deleted Laure Belle C:\SYSTEM VOLUME

 

INFORMATION\_RESTORE{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1908\A0271828.EXE PWS-Zbot.gen.c(Trojan)

11/29/2009 3:19:50 PM Deleted Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1908\A0271828.exe PWS-Zbot.gen.c(Trojan)

11/29/2009 3:20:55 PM Cleaned Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1920\A0274102.EXE W32/Magistr.a@MM(Virus)

11/29/2009 3:20:56 PM Cleaned Laure Belle c:\System Volume

 

Information\_restore{8A913475-0B20-49DB-AE53-09ACEFD9D385}\RP1920\A0274103.EXE W32/Magistr.a@MM(Virus)

11/29/2009 4:25:40 PM Deleted Laure Belle

 

c:\WINDOWS\system32\drivers\etc\hosts.20091101-165110.backup QHosts-1!hosts(Trojan)

11/29/2009 4:25:41 PM Deleted Laure Belle

 

c:\WINDOWS\system32\drivers\etc\hosts.20091101-184701.backup QHosts-1!hosts(Trojan)

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Scan Summary

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Processes scanned : 811

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Processes detected : 0

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Processes cleaned : 0

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Boot sectors scanned : 2

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Boot sectors detected: 0

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Boot sectors cleaned : 0

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files scanned : 65360

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files with detections: 39

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle File detections : 98

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files cleaned : 5

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files deleted : 34

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Files not scanned : 68

11/29/2009 4:27:37 PM Scan Summary YOUR-5OLNB28OAO\Laure Belle Run time : 2:56:21

11/29/2009 4:27:37 PM Scan Complete YOUR-5OLNB28OAO\Laure Belle Full Scan

Share this post


Link to post
Share on other sites

I was finally able to download and run MalwareBytes and it detected nothing. Here is my latest Hijack This log:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:27:12 PM, on 11/29/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16915)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

 

Files\Yahoo!\Companion\Installs\cpn\yt.dll

O1 - Hosts: 209.66.123.174 www.thehun.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

 

Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

 

7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft

 

Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

 

Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

 

/runcleanupscript

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

 

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft

 

Money\System\mnyviewer.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

 

Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

 

Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O15 - Trusted Zone: *.texastech.edu

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

 

http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) -

 

http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) -

 

http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) -

 

http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) -

 

http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) -

 

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\yezenefi.dll

O21 - SSODL: zuhujaruh - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (file

 

missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common

 

Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan

 

Enterprise\VsTskMgr.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

 

--

End of file - 7735 bytes

-----------------------------------------------------------

 

Anything in this list I can get rid of? I plan to do away with the following because I don't know what they are, and I no longer have a Lexmark Printer:

 

O1 - Hosts: 209.66.123.174 www.thehun.com

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

 

 

I have no more popups at this point, just trying to get rid of as much garbage as I can. Thanks again for your help, hope this info helps someone else too.

 

Laure

Share this post


Link to post
Share on other sites

Hi LaureBelle!!.. :).

 

I plan to do away with the following because I don't know what they are, and I no longer have a Lexmark Printer:

 

O1 - Hosts: 209.66.123.174 www.thehun.com

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

The first one "tells" your system (or rather a web browser) where to go when you type www.thehun.com into the address bar... The second one "tells" your system to set that page as a start page when you reset IE settings to default... These are not malware related entries but can be safely removed...

 

Please do the following:

Firstly, disable those two antispyware programs as they may hinder the removal of some entries: Windows Defender and SpybotSD's TeaTimer... Use instructions from this site: link

 

Secondly,

Please run a scan in HijackThis and check the following items:

O1 - Hosts: 209.66.123.174 www.thehun.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O20 - AppInit_DLLs: bemadoko.dll c:\windows\system32\yezenefi.dll

O21 - SSODL: zuhujaruh - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {2e9b7a26-def9-4006-b878-b9da3659dbba} - c:\windows\system32\yezenefi.dll (filemissing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

 

Then, close all open windows, except HijackThis and click: Fix checked.

 

Also, Go to Start --> Run and type the following command in the field: (or copy and paste it)

 

sc delete LexBceS

Click OK

 

Then, you may re-enable one of the antispyware programs - I don't recommend running more than one antispyware program's real time protection at once, because they can conflict with each other.

 

Thirdly,

You're using an old version of Adobe Acrobat Reader, this can leave your PC open to vulnerabilities, you can update it here (uninstall version 7.0 first):

http://www.adobe.com/products/acrobat/readstep2.html

 

 

Finally, I need to gather more information about your system to make sure everything is fine... Perform those 2 quick scans for me, please:

-DDS:

  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

     

    NOTE: Before scanning, make sure all other running programs are closed.

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

     

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explaination about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results, click Yes to the Optional_Scan

    [*]>>Post the contents of both DDS.txt and Attach.txt into the thread.<<

    [*]Close the program window, and delete the program from your Desktop.

 

- Please close all antivirus and antimalware programs so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab (1) and click on the Scan button (2).
     
    rootrepeal1.png
     
  • Select ALL of the checkboxes (3) and then click OK and it will start scanning your system.
    rootrepeal2.png
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report (4).
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Share this post


Link to post
Share on other sites

Ok, done, and done. :-)

 

 

DDS (Ver_09-12-01.01) - NTFSx86

Run by Laure Belle at 12:28:21.82 on Tue 12/15/2009

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.732 [GMT -6:00]

 

AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\McAfee\Common Framework\UdaterUI.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\McAfee\Common Framework\McTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Laurie Smerud\My Documents\My Downloads\dds.com

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.com/

uCustomizeSearch = hxxp://ie.search.msn.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

 

files\yahoo!\companion\installs\cpn\yt.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

 

shared\windows live\WindowsLiveLogin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

 

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Aim6]

mRun: [intelliType] "c:\program files\microsoft hardware\keyboard\type32.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRun: [shStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE

mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program

 

files\yahoo!\common\yiesrvc.dll

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft

 

money\system\mnyviewer.dll

Trusted Zone: texastech.edu

Trusted Zone: texastech.edu\cognos

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

 

hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

 

hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab

DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

 

hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab

DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} -

 

hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = scecli tesirolo.dll

Hosts: 127.0.0.1 www.spywareinfo.com

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\laurie~1\applic~1\mozilla\firefox\profiles\gaa6p40y.default\

FF - prefs.js: browser.startup.homepage -

 

hxxp://m.www.yahoo.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

 

firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

 

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

 

============= SERVICES / DRIVERS ===============

 

P2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-2-22 144960]

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-29 353672]

R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-11-29 104000]

R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-2-22 54872]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-11-29

 

24652]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-11-29 72264]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-11-29 34152]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-11-29 170408]

S2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

 

c:\windows\system32\zonelabs\vsmon.exe -service [?]

S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

 

=============== Created Last 30 ================

 

2009-11-30 05:35:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Viewpoint

2009-11-30 05:35:12 0 d-----w- c:\program files\Viewpoint

2009-11-30 05:35:09 0 d-----w- c:\docume~1\alluse~1\applic~1\acccore

2009-11-30 05:33:40 0 d-----w- c:\program files\common files\AOL

2009-11-30 05:33:07 0 d-----w- c:\program files\AIM6

2009-11-30 05:32:58 367 ---ha-w- C:\IPH.PH

2009-11-30 04:42:49 1221512 ----a-w- c:\windows\system32\zpeng25.dll

2009-11-30 04:42:48 0 d-----w- c:\windows\system32\ZoneLabs

2009-11-30 04:42:45 350192 ----a-w- c:\windows\system32\vsconfig.xml

2009-11-30 03:04:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2009-11-29 19:52:58 0 d-----w- C:\QUARANTINE

2009-11-29 19:21:28 280 ----a-w- c:\windows\system32\epoPGPsdk.dll.sig

2009-11-29 19:21:28 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll

2009-11-29 19:21:28 0 d-----w- c:\program files\common files\Cisco Systems

2009-11-29 19:20:56 34152 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2009-11-29 19:20:55 64360 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2009-11-29 19:20:54 72264 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2009-11-29 19:20:53 52136 ----a-w- c:\windows\system32\drivers\mfetdik.sys

2009-11-29 19:20:52 170408 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2009-11-29 19:20:12 0 d-----w- c:\program files\McAfee

2009-11-29 19:20:12 0 d-----w- c:\program files\common files\McAfee

2009-11-22 19:05:57 15064 ----a-w- c:\windows\system32\wuapi.dll.mui

 

==================== Find3M ====================

 

2009-11-30 04:43:20 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-20 16:20:16 265728 ------w- c:\windows\system32\drivers\http.sys

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-10-01 15:29:14 195440 ------w- c:\windows\system32\MpSigStub.exe

2004-09-19 18:01:36 1507 ----a-w- c:\program files\Notepad.lnk

2003-08-27 20:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll

2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll

2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll

2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

2008-08-04 03:56:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local

 

settings\history\history.ie5\mshist012008080320080804\index.dat

 

============= FINISH: 12:29:08.84 ===============

 

Edited to remove duplicate info.

Edited by LaureBelle

Share this post


Link to post
Share on other sites

DDS Attach

 

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

 

DDS (Ver_09-12-01.01)

 

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 12/30/2001 4:05:56 PM

System Uptime: 12/15/2009 12:20:03 PM (0 hours ago)

 

Motherboard: First International Computer, Inc. | | VC31

Processor: Intel® Pentium® 4 CPU 1500MHz | Socket 478 |

 

1495/100mhz

 

==== Disk Partitions =========================

 

A: is Removable

C: is FIXED (NTFS) - 56 GiB total, 21.712 GiB free.

D: is CDROM ()

E: is CDROM ()

 

==== Disabled Device Manager Items =============

 

==== System Restore Points ===================

 

RP1887: 9/20/2009 9:23:08 PM - Software Distribution Service 3.0

RP1888: 9/26/2009 10:08:26 AM - Software Distribution Service 3.0

RP1889: 9/27/2009 10:09:11 AM - System Checkpoint

RP1890: 10/5/2009 11:34:44 PM - Software Distribution Service 3.0

RP1891: 10/6/2009 11:35:39 PM - System Checkpoint

RP1892: 10/11/2009 2:00:20 PM - Software Distribution Service 3.0

RP1893: 10/15/2009 11:00:40 PM - Software Distribution Service 3.0

RP1894: 10/16/2009 6:21:56 PM - Software Distribution Service 3.0

RP1895: 10/17/2009 6:55:58 PM - System Checkpoint

RP1896: 10/19/2009 8:25:44 AM - System Checkpoint

RP1897: 10/20/2009 10:08:12 PM - Software Distribution Service 3.0

RP1898: 10/22/2009 12:31:49 AM - System Checkpoint

RP1899: 10/24/2009 11:58:15 AM - Software Distribution Service 3.0

RP1900: 10/25/2009 12:25:17 PM - System Checkpoint

RP1901: 10/26/2009 1:09:59 PM - System Checkpoint

RP1902: 10/27/2009 1:59:14 PM - System Checkpoint

RP1903: 10/27/2009 2:19:13 PM - Revo Uninstaller's restore point -

 

ZoneAlarm

RP1904: 10/27/2009 3:10:11 PM - Revo Uninstaller's restore point -

 

ZoneAlarm

RP1905: 10/27/2009 3:12:30 PM - Revo Uninstaller's restore point -

 

ZoneAlarm

RP1906: 10/31/2009 4:42:28 PM - Restore Operation

RP1907: 10/31/2009 4:52:25 PM - Revo Uninstaller's restore point -

 

ZoneAlarm

RP1908: 11/1/2009 11:13:30 PM - System Checkpoint

RP1909: 11/2/2009 1:14:46 PM - Revo Uninstaller's restore point - ZoneAlarm

RP1910: 11/12/2009 3:22:17 AM - System Checkpoint

RP1911: 11/13/2009 11:42:40 PM - System Checkpoint

RP1912: 11/14/2009 11:51:32 PM - System Checkpoint

RP1913: 11/16/2009 6:57:28 AM - System Checkpoint

RP1914: 11/21/2009 9:04:26 AM - System Checkpoint

RP1915: 11/22/2009 9:52:27 AM - System Checkpoint

RP1916: 11/22/2009 1:10:30 PM - Software Distribution Service 3.0

RP1917: 11/22/2009 1:43:13 PM - Software Distribution Service 3.0

RP1918: 11/28/2009 7:17:08 PM - System Checkpoint

RP1919: 11/29/2009 3:00:25 AM - Software Distribution Service 3.0

RP1920: 11/29/2009 1:20:28 PM - Installed McAfee VirusScan Enterprise

RP1921: 11/29/2009 9:03:27 PM - Installed Java 6 Update 16

RP1922: 11/29/2009 9:07:46 PM - Installed Java 6 Update 17

RP1923: 11/30/2009 9:53:36 PM - System Checkpoint

RP1924: 12/1/2009 10:17:01 PM - System Checkpoint

RP1925: 12/6/2009 1:11:44 PM - System Checkpoint

RP1926: 12/8/2009 8:53:00 AM - System Checkpoint

RP1927: 12/9/2009 8:38:28 PM - System Checkpoint

RP1928: 12/10/2009 1:40:42 AM - Software Distribution Service 3.0

RP1929: 12/11/2009 8:02:20 PM - System Checkpoint

RP1930: 12/12/2009 8:10:55 PM - System Checkpoint

RP1931: 12/14/2009 12:14:44 AM - System Checkpoint

RP1932: 12/15/2009 1:51:24 AM - System Checkpoint

RP1933: 12/15/2009 11:37:47 AM - Revo Uninstaller's restore point - Adobe

 

Reader 7.0

RP1934: 12/15/2009 11:39:01 AM - Removed Adobe Reader 7.0

 

==== Installed Programs ======================

 

ACDSee

Adobe Acrobat 5.0

Adobe Download Manager

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

AIM 6

AiO_Scan_CDA

AiOSoftwareNPI

AOL Instant Messenger

AusLogics Registry Defrag

BufferChm

C3100

c3100_Help

CCleaner

Compatibility Pack for the 2007 Office system

CustomerResearchQFolder

Cypress USB Mass Storage Driver Installation

Destinations

DeviceManagementQFolder

DocProc

DocProcQFolder

eSupportQFolder

Fax_CDA

Free Window Registry Repair

Glary Registry Repair 3.0

Google Earth

Halsoft Battleship

Halsoft Checkers

Halsoft Virtual Places Chat

Halsoft VP Chat Tri-Hook

Halsoft Yahtzee

HighMAT Extension to Microsoft Windows XP CD Writing Wizard

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Format SDK (KB902344)

Hotfix for Windows Media Format SDK (KB910998)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

HP Customer Participation Program 7.0

HP Imaging Device Functions 7.0

HP Photosmart Essential

HP Photosmart, Officejet and Deskjet 7.0.A

HP PrecisionScan LTX

HP Share-to-Web

HP Software Update

HP Solution Center 7.0

HPPhotoSmartExpress

HPProductAssistant

InstantShareDevicesMFC

Java 6 Update 17

LimeWire 4.18.8

Malwarebytes' Anti-Malware

MarketResearch

McAfee VirusScan Enterprise

Microsoft Data Access Components KB870669

Microsoft Interactive Training

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Money 2002

Microsoft Money 2002 System Pack

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Media Content

Microsoft Office XP Professional

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft VC9 runtime libraries

Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

Microsoft Visual C++ 2005 Redistributable

Microsoft Works 6.0

Mozilla Firefox (3.5.5)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

NewCopy_CDA

OCR Software by I.R.I.S 7.0

Paint Shop Pro 5.0

PanoStandAlone

PowerDVD

ProductContextNPI

QuickTime

Readme

RealPlayer Basic

Revo Uninstaller 1.83

SBC Yahoo! DSL Activation

Scan

ScannerCopy

Security Update for Step By Step Interactive Training (KB898458)

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB931768)

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB953838)

Security Update for Windows Internet Explorer 7 (KB956390)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Shockwave

SolutionCenter

Spybot - Search & Destroy

Status

Toolbox

Total Recorder 5.2

TrayApp

Uninstall Startup Inspector

Unload

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

USB Storage Adapter FX (SM1)

VC 9.0 Runtime

Viewpoint Media Player

WebFldrs XP

WebReg

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Genuine Advantage v1.3.0254.0

Windows Genuine Advantage Validation Tool (KB892130)

Windows Internet Explorer 7

Windows Live installer

Windows Live Messenger

Windows Live Sign-in Assistant

Windows Media Format 11 runtime

Windows Media Player 10

Windows XP Service Pack 3

Yahoo! extras

Yahoo! Internet Mail

Yahoo! Messenger

Yahoo! Toolbar

ZoneAlarm

 

==== Event Viewer Messages From Past Week ========

 

12/9/2009 6:00:46 PM, error: Service Control Manager [7009] - Timeout

 

(30000 milliseconds) waiting for the Application Layer Gateway Service

 

service to connect.

12/9/2009 6:00:46 PM, error: Service Control Manager [7000] - The

 

Application Layer Gateway Service service failed to start due to the

 

following error: The service did not respond to the start or control

 

request in a timely fashion.

12/15/2009 11:44:36 AM, error: Service Control Manager [7003] - The Print

 

Spooler service depends on the following nonexistent service: LexBceS

12/11/2009 7:08:37 PM, error: Service Control Manager [7009] - Timeout

 

(30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service

 

to connect.

12/11/2009 7:08:37 PM, error: Service Control Manager [7000] - The IMAPI

 

CD-Burning COM Service service failed to start due to the following error:

 

The service did not respond to the start or control request in a timely

 

fashion.

 

==== End Of File ===========================

 

Edited to remove duplicate info.

Edited by LaureBelle

Share this post


Link to post
Share on other sites

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/12/15 12:35

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF5D6B000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7BED000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xF2C9D000 Size: 49152 File Visible: No Signed: -

Status: -

 

Name: srescan.sys

Image Path: srescan.sys

Address: 0xF74C1000 Size: 81920 File Visible: No Signed: -

Status: -

 

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

 

Path: c:\windows\temp\perflib_perfdata_d8.dat

Status: Allocation size mismatch (API: 16384, Raw: 0)

 

SSDT

-------------------

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e89fc0

 

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e86c80

 

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea1170

 

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e8a580

 

#: 056 Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e8a670

 

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e87210

 

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea19f0

 

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea17a0

 

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea1f10

 

#: 099 Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea1f90

 

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e87070

 

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea26f0

 

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea2150

 

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e89be0

 

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea2540

 

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5e87440

 

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf5ea14e0

 

==EOF==

Share this post


Link to post
Share on other sites

Hi again LaureBelle!!.. :).

 

Logs look clean to me...

 

Go to Start > Control Panel double-click on Add or Remove Programs and uninstall the following:

Adobe Acrobat 5.0 - this is a very old version of Adobe Acrobat Reader (with security vulnerabilities)...

Afterwards, download an install a new version from here: http://www.adobe.com/products/acrobat/readstep2.html

 

One optional program to remove (just decide if you want to keep it...):

 

Viewpoint Media Player

Viewpoint Manager is considered as foistware instead of malware. It is installed on your computer without your permission. It is known to be intrusive and there is also some possibility that it is now being used by various companies to give them info about your habits.

 

I suggest you remove the program now.

 

 

Copy and paste this text IN BOLD into a text editor such as Notepad.

 

Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your Desktop.

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

 

Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

 

Then, you may delete DDS application (and its logs) and RootRepeal's files from your Desktop...

 

Finally,

Please, set up a new System Restore point:

 

Turn off System Restore

 

To turn off System Restore, follow these steps:

1. Click Start, right-click My Computer, and then click Properties.

2. Click the System Restore tab.

3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

4. Click Yes when you receive the prompt to the turn off System Restore.

 

The to turn it back on

1. Wait for Windows to finish clearing Restore Points.

2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

 

Please check my site - snemelk.hekko.pl. There, you'll find a few steps to make your web browsing safer. :thumbup:

 

Also, I recommend you to read Tony Klein's excellent article: How I got Infected in the First Place?

 

:wave:

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0