I know everyone that helps here is a volunteer and very kind to help out and I appreciate that very much. My only reason for writing this New Topic is to find out if I have done something wrong or not done something right to get a response. I submitted a topic on October 29th and I have not heard from anyone. I have seen others with similar problems getting help since then. Am I not doing something I am supposed to? I have a very nasty trojan that malwarebytes can't get rid of. It identifies them on the scan but does not remove them. I get the message that the infected files will be removed on reboot but that doesn't happen. They come right back. I am also running Avira Anti-vir and I had to shut off Anti-Vir Guard because it just kept finding two files it says was a trojan but no matter what action I took, the Trojans just kept coming back. The anti-vir guard announcements were taking over my computer. I'm not sure what I should do. Please help someone. Here are the latest logs:
MBAM log
Malwarebytes' Anti-Malware 1.41
Database version: 3098
Windows 5.1.2600 Service Pack 2
11/4/2009 10:12:36 AM
mbam-log-2009-11-04 (10-12-24).txt
Scan type: Quick Scan
Objects scanned: 160680
Time elapsed: 42 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 2
Registry Values Infected: 6
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\jijejamu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pilipeho.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\tesavohi.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\mupapupe.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\jifetahi.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\bezayedo.dll (Trojan.Vundo) -> No action taken.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{f2de254c-d327-48bb-b0f0-104071c95a6c} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{87f808a5-db44-456b-a51f-bc33f6bc8bfb} (Trojan.Vundo.H) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lejuvivoh (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{f2de254c-d327-48bb-b0f0-104071c95a6c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kujasaset (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{87f808a5-db44-456b-a51f-bc33f6bc8bfb} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zovuminaw (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nozehorune (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\tesavohi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\tesavohi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mupapupe.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mupapupe.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\jifetahi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\jifetahi.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\bezayedo.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\bezayedo.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> No action taken.
C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> No action taken.
Files Infected:
c:\WINDOWS\system32\mupapupe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jijejamu.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\pilipeho.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\tesavohi.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\jifetahi.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\system32\bezayedo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\buloreke.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\daluwimo.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\torayiya.dll (Trojan.Vundo) -> No action taken.
Hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:40 AM, on 11/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Palm\HOTSYNC.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {5f414075-a602-4ca4-a231-4b799c981ba4} - fakugupu.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [lejuvivoh] Rundll32.exe "c:\windows\system32\tesavohi.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: office.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com
O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com
O20 - AppInit_DLLs: c:\windows\ c:\windows\system32\fiworize.dll c:\windows\system32\rofenima.dll jijejamu.dll c:\windows\system32\pogobiwu.dll c:\windows\system32\hefihiru.dll c:\windows\system32\jifetahi.dll c:\windows\system32\tesavohi.dll c:\windows\system32\bezayedo.dll c:\windows\system32\mupapupe.dll
O21 - SSODL: goyuvukiz - {3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll
O21 - SSODL: kujasaset - {f2de254c-d327-48bb-b0f0-104071c95a6c} - c:\windows\system32\mupapupe.dll
O22 - SharedTaskScheduler: jugezatag - {3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll
O22 - SharedTaskScheduler: kupuhivus - {f2de254c-d327-48bb-b0f0-104071c95a6c} - c:\windows\system32\mupapupe.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 14674 bytes
Full Version: Am I doing Something Wrong
Hello johnnyt, and welcome to Malwarebytes! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.
you didn't do anything wrong... its just staff members are few through out the malware community, and there are many people looking for help. Sometimes we just get so busy, and unfortunately some do slip through the cracks. When we are done I will close your other topic, so keep all replies in this topic here.
Please do the following...
ComboFix
Please download ComboFix from Here or Here
* IMPORTANT !!! Save ComboFix.exe to your Desktop
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Do not mouse-click Combofix's window while it is running. That may cause it to stall.
===============================================
Needed in your next reply:
Combofix log
And let me know how things are running now
you didn't do anything wrong... its just staff members are few through out the malware community, and there are many people looking for help. Sometimes we just get so busy, and unfortunately some do slip through the cracks. When we are done I will close your other topic, so keep all replies in this topic here.
Please do the following...
ComboFix
Please download ComboFix from Here or Here
* IMPORTANT !!! Save ComboFix.exe to your Desktop
- Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
- Double click on ComboFix.exe & follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Do not mouse-click Combofix's window while it is running. That may cause it to stall.
===============================================
Needed in your next reply:
Combofix log
And let me know how things are running now
First of all, thank you so much for helping me BHowett. I completely understand about being busy. I certainly wasn't being impatient, I just thought I may have offended someone or wrote my topic wrong...anyhow, thanks for your help.
I ran combofix and unless it is my imagination, everything seems to be running really well. Much faster. Combofix ran for about 2 and a half hours. Not sure if that is good or bad, but nonetheless, here is the log:
ComboFix 09-11-04.02 - Catherine 11/04/2009 18:29.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.157 [GMT -5:00]
Running from: c:\documents and settings\Catherine\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\TRNSLG03.XLS
c:\program files\Dynamic Toolbar
c:\windows\compaq.reg
c:\windows\desktop
c:\windows\desktop\Compaq Knowledge Center.lnk
c:\windows\Downloaded Program Files\CONFLICT.1\RDXIE.DLL
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\jestertb.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\bezayedo.dll
c:\windows\system32\bitoduze.dll
c:\windows\system32\Cache
c:\windows\system32\hefihiru.dll
c:\windows\system32\jifetahi.dll
c:\windows\system32\jijejamu.dll
c:\windows\system32\mupapupe.dll
c:\windows\system32\pilipeho.dll
c:\windows\system32\pogobiwu.dll
c:\windows\system32\tesavohi.dll
c:\windows\Tasks\vvnfgxeg.job
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://gateway.digitalmusicnotebook.com
hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.
2009-11-02 15:05 . 2009-11-02 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-10-28 20:44 . 2009-10-28 20:44 -------- d-----w- c:\program files\Trend Micro
2009-10-28 13:04 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-28 13:04 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-28 13:04 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-28 13:04 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-28 13:04 . 2009-10-28 13:04 -------- d-----w- c:\program files\Avira
2009-10-28 13:04 . 2009-10-28 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-27 12:43 . 2009-10-27 12:43 -------- d-----w- c:\documents and settings\Catherine\Application Data\Malwarebytes
2009-10-27 12:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 12:40 . 2009-10-27 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 12:40 . 2009-11-04 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 12:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 01:03 . 2009-11-05 00:44 3671 ----a-w- c:\windows\compaq.reg
2009-10-28 21:47 . 2002-08-25 15:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-28 21:47 . 2002-08-25 15:41 -------- d-----w- c:\program files\Symantec
2009-10-28 21:09 . 2002-08-25 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-28 12:12 . 2003-12-06 02:30 -------- d-----w- c:\program files\Dell AIO Printer A920
2009-10-14 18:49 . 2006-11-03 14:59 59 ----a-w- c:\windows\wpd99.drv
2009-10-14 18:49 . 2006-11-03 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-10-02 10:03 . 2009-03-19 13:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-01 12:37 . 2009-10-01 12:37 -------- d-----w- c:\program files\Microsoft
2009-09-29 17:35 . 2004-01-20 13:07 119520 ----a-w- c:\documents and settings\Catherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 17:35 . 2009-09-29 17:35 -------- d-----w- c:\documents and settings\Catherine\Application Data\LogSys
2009-09-29 17:35 . 2009-09-29 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\LogSys
2009-09-29 17:32 . 2009-09-29 16:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}
2009-09-29 17:32 . 2009-09-29 17:32 -------- d-----w- c:\program files\Blueberry Consultants
2009-09-29 17:25 . 2009-09-29 17:25 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-29 17:23 . 2009-09-29 17:23 -------- d-----w- c:\program files\MSBuild
2009-09-29 17:22 . 2009-09-29 17:22 -------- d-----w- c:\program files\Reference Assemblies
2009-09-29 16:31 . 2008-07-28 14:22 -------- d-----w- c:\program files\monitor
2009-09-24 12:04 . 2009-09-23 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-15 19:33 . 2009-09-15 18:58 -------- d-----w- c:\documents and settings\Catherine\Application Data\Verizon
2009-09-15 18:56 . 2009-09-15 18:56 -------- d-----w- c:\program files\Verizon
2009-09-12 21:12 . 2005-08-09 17:46 -------- d-----w- c:\documents and settings\Catherine\Application Data\Apple Computer
2009-09-12 20:53 . 2009-09-12 20:51 -------- d-----w- c:\program files\iTunes
2009-09-12 20:53 . 2009-09-12 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 20:52 . 2005-08-09 17:44 -------- d-----w- c:\program files\iPod
2009-09-12 20:51 . 2007-07-19 18:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 20:46 . 2009-09-12 20:45 -------- d-----w- c:\program files\QuickTime
2009-09-12 20:32 . 2009-09-12 20:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-08-31 17:12 . 2009-08-31 17:09 256 ----a-w- c:\windows\system32\pool.bin
2009-08-31 17:08 . 2009-08-31 17:08 10134 ----a-r- c:\documents and settings\Catherine\Application Data\Microsoft\Installer\{62880A3B-2F9C-4C58-8FFA-1DA280262B5E}\ARPPRODUCTICON.exe
2009-08-26 12:42 . 2009-08-26 12:42 152576 ----a-w- c:\documents and settings\Catherine\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 12:53 . 2008-01-25 12:07 2406160 ----a-w- c:\documents and settings\Catherine\Application Data\1&1\1&1 EasyLogin\update\EasyLogin_setup_US.exe
2009-08-10 05:22 . 2009-09-29 17:32 2710905 -c--a-w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}\Blueberry PDF Form Filler Setup.exe
2009-08-10 05:21 . 2009-09-29 17:20 380928 -c--a-w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}\OFFLINE\1B3DF940\21E1A0D9\Blueberry PDF Form Filler.exe
2003-06-30 21:40 . 2003-06-30 21:40 0 ----a-w- c:\program files\meta.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-03 15:19 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Mobipocket Reader Notifications"="c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe" [2006-06-20 57344]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-08-18 2200576]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"CPQEASYACC"="c:\program files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 28672]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 131072]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-17 655360]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-03-27 180269]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-19 1836544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\newone.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Smapp"="Smtray.exe" - c:\windows\system32\SMTray.exe [2001-06-01 224256]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
c:\documents and settings\User\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-8-9 299008]
PowerReg Scheduler V3.exe [2002-12-29 225280]
c:\documents and settings\Catherine\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-8-9 299008]
PowerReg Scheduler V3.exe [2008-10-3 225280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2006-2-15 78848]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
office.exe [2009-6-25 121207]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\COMPAQ\\WinDVD\\WinDVD.exe"=
"c:\\Program Files\\FTR\\FTR Gold\\FTRReporter.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\newone.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:*:Disabled:TheRecord DCOM Port
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/28/2009 8:04 AM 108289]
R2 X4HS16;X4HS16;c:\program files\EXEtender\X4HS16.sys [8/19/2003 8:00 PM 19691]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 WinRT;WinRT Toolkit Generic Driver;c:\windows\system32\drivers\WinRT.sys [2/24/2005 1:38 PM 99360]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\Gcr432.sys [9/6/2001 1:05 PM 89371]
S3 hwi4857;Duo Digital Media Player;c:\windows\system32\drivers\hwi4857.sys [1/31/2003 9:29 PM 10532]
S3 Otis;Audible Otis Service;c:\windows\system32\drivers\OtisPlay.sys [3/8/2003 7:26 AM 9472]
S3 PortRst;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [1/29/2002 5:33 PM 12721]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [4/28/2002 1:25 PM 36404]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2001-12-26 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-12-13 07:56]
2001-12-26 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-12-13 07:56]
2009-11-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-25 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lesliehale.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/01017a2d3f98e0e93b21/netzip/RdxIE601.cab
DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{5f414075-a602-4ca4-a231-4b799c981ba4} - fakugupu.dll
HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-WorksFUD - (no file)
SharedTaskScheduler-{3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll
SSODL-goyuvukiz-{3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 19:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3368)
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Tech\Wheel Mouse\5.0\MOUDL32A.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\System32\PackethSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\drivers\CDAC11BA.EXE
c:\program files\Compaq\Compaq Advisor\bin\compaq-rba.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\program files\Compaq\Easy Access Button Support\CPQEADM.EXE
c:\compaq\CPQINET\CPQInet.exe
c:\compaq\EAKDRV\EAUSBKBD.EXE
c:\progra~1\Compaq\EASYAC~1\BttnServ.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Compaq\COMPAQ~1\bin\nda.exe
.
**************************************************************************
.
Completion time: 2009-11-05 20:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 01:36
Pre-Run: 23,978,127,360 bytes free
Post-Run: 25,562,042,368 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
Just let me know what you want me to do next, if anything. Have a good one!
I ran combofix and unless it is my imagination, everything seems to be running really well. Much faster. Combofix ran for about 2 and a half hours. Not sure if that is good or bad, but nonetheless, here is the log:
ComboFix 09-11-04.02 - Catherine 11/04/2009 18:29.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.157 [GMT -5:00]
Running from: c:\documents and settings\Catherine\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Catherine\Local Settings\Temporary Internet Files\TRNSLG03.XLS
c:\program files\Dynamic Toolbar
c:\windows\compaq.reg
c:\windows\desktop
c:\windows\desktop\Compaq Knowledge Center.lnk
c:\windows\Downloaded Program Files\CONFLICT.1\RDXIE.DLL
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\jestertb.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\bezayedo.dll
c:\windows\system32\bitoduze.dll
c:\windows\system32\Cache
c:\windows\system32\hefihiru.dll
c:\windows\system32\jifetahi.dll
c:\windows\system32\jijejamu.dll
c:\windows\system32\mupapupe.dll
c:\windows\system32\pilipeho.dll
c:\windows\system32\pogobiwu.dll
c:\windows\system32\tesavohi.dll
c:\windows\Tasks\vvnfgxeg.job
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete
----- BITS: Possible infected sites -----
hxxp://gateway.digitalmusicnotebook.com
hxxp://77.74.48.111
.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.
2009-11-02 15:05 . 2009-11-02 15:05 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-10-28 20:44 . 2009-10-28 20:44 -------- d-----w- c:\program files\Trend Micro
2009-10-28 13:04 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-10-28 13:04 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-28 13:04 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-10-28 13:04 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-10-28 13:04 . 2009-10-28 13:04 -------- d-----w- c:\program files\Avira
2009-10-28 13:04 . 2009-10-28 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-10-27 12:43 . 2009-10-27 12:43 -------- d-----w- c:\documents and settings\Catherine\Application Data\Malwarebytes
2009-10-27 12:40 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 12:40 . 2009-10-27 12:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-27 12:40 . 2009-11-04 15:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-27 12:40 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-05 01:03 . 2009-11-05 00:44 3671 ----a-w- c:\windows\compaq.reg
2009-10-28 21:47 . 2002-08-25 15:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-28 21:47 . 2002-08-25 15:41 -------- d-----w- c:\program files\Symantec
2009-10-28 21:09 . 2002-08-25 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-10-28 12:12 . 2003-12-06 02:30 -------- d-----w- c:\program files\Dell AIO Printer A920
2009-10-14 18:49 . 2006-11-03 14:59 59 ----a-w- c:\windows\wpd99.drv
2009-10-14 18:49 . 2006-11-03 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995
2009-10-02 10:03 . 2009-03-19 13:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-01 12:37 . 2009-10-01 12:37 -------- d-----w- c:\program files\Microsoft
2009-09-29 17:35 . 2004-01-20 13:07 119520 ----a-w- c:\documents and settings\Catherine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-29 17:35 . 2009-09-29 17:35 -------- d-----w- c:\documents and settings\Catherine\Application Data\LogSys
2009-09-29 17:35 . 2009-09-29 17:35 -------- d-----w- c:\documents and settings\All Users\Application Data\LogSys
2009-09-29 17:32 . 2009-09-29 16:32 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}
2009-09-29 17:32 . 2009-09-29 17:32 -------- d-----w- c:\program files\Blueberry Consultants
2009-09-29 17:25 . 2009-09-29 17:25 2272 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-29 17:23 . 2009-09-29 17:23 -------- d-----w- c:\program files\MSBuild
2009-09-29 17:22 . 2009-09-29 17:22 -------- d-----w- c:\program files\Reference Assemblies
2009-09-29 16:31 . 2008-07-28 14:22 -------- d-----w- c:\program files\monitor
2009-09-24 12:04 . 2009-09-23 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-15 19:33 . 2009-09-15 18:58 -------- d-----w- c:\documents and settings\Catherine\Application Data\Verizon
2009-09-15 18:56 . 2009-09-15 18:56 -------- d-----w- c:\program files\Verizon
2009-09-12 21:12 . 2005-08-09 17:46 -------- d-----w- c:\documents and settings\Catherine\Application Data\Apple Computer
2009-09-12 20:53 . 2009-09-12 20:51 -------- d-----w- c:\program files\iTunes
2009-09-12 20:53 . 2009-09-12 20:51 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-12 20:52 . 2005-08-09 17:44 -------- d-----w- c:\program files\iPod
2009-09-12 20:51 . 2007-07-19 18:23 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 20:46 . 2009-09-12 20:45 -------- d-----w- c:\program files\QuickTime
2009-09-12 20:32 . 2009-09-12 20:32 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.0.70\SetupAdmin.exe
2009-08-31 17:12 . 2009-08-31 17:09 256 ----a-w- c:\windows\system32\pool.bin
2009-08-31 17:08 . 2009-08-31 17:08 10134 ----a-r- c:\documents and settings\Catherine\Application Data\Microsoft\Installer\{62880A3B-2F9C-4C58-8FFA-1DA280262B5E}\ARPPRODUCTICON.exe
2009-08-26 12:42 . 2009-08-26 12:42 152576 ----a-w- c:\documents and settings\Catherine\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-23 12:53 . 2008-01-25 12:07 2406160 ----a-w- c:\documents and settings\Catherine\Application Data\1&1\1&1 EasyLogin\update\EasyLogin_setup_US.exe
2009-08-10 05:22 . 2009-09-29 17:32 2710905 -c--a-w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}\Blueberry PDF Form Filler Setup.exe
2009-08-10 05:21 . 2009-09-29 17:20 380928 -c--a-w- c:\documents and settings\All Users\Application Data\{5CF2916D-6AA4-47BF-B59D-D24FEA0C91E3}\OFFLINE\1B3DF940\21E1A0D9\Blueberry PDF Form Filler.exe
2003-06-30 21:40 . 2003-06-30 21:40 0 ----a-w- c:\program files\meta.txt
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-03 15:19 325000 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-03 325000]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Mobipocket Reader Notifications"="c:\program files\Mobipocket.com\Mobipocket Reader\readernotify.exe" [2006-06-20 57344]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"1&1 EasyLogin"="c:\program files\1&1\1&1 EasyLogin\EasyLogin.exe" [2009-08-18 2200576]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-05-19 1957888]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-04-03 3558648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"CPQEASYACC"="c:\program files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 28672]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 131072]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [2000-07-13 28739]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"AdaptecDirectCD"="c:\program files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2001-10-17 655360]
"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 270336]
"LWBMOUSE"="c:\program files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE" [2002-05-24 357376]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2004-03-27 180269]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-19 1836544]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\newone.exe" [2009-09-10 1312080]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Smapp"="Smtray.exe" - c:\windows\system32\SMTray.exe [2001-06-01 224256]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
c:\documents and settings\User\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-8-9 299008]
PowerReg Scheduler V3.exe [2002-12-29 225280]
c:\documents and settings\Catherine\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\palm\HOTSYNC.EXE [2002-8-9 299008]
PowerReg Scheduler V3.exe [2008-10-3 225280]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
DateInTray.lnk - c:\program files\DateInTray\DateInTray.exe [2006-2-15 78848]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
office.exe [2009-6-25 121207]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\COMPAQ\\WinDVD\\WinDVD.exe"=
"c:\\Program Files\\FTR\\FTR Gold\\FTRReporter.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Verizon\\Verizon Media Manager\\Release\\Verizon Media Manager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\regsvr32.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\newone.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:*:Disabled:TheRecord DCOM Port
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/28/2009 8:04 AM 108289]
R2 X4HS16;X4HS16;c:\program files\EXEtender\X4HS16.sys [8/19/2003 8:00 PM 19691]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 WinRT;WinRT Toolkit Generic Driver;c:\windows\system32\drivers\WinRT.sys [2/24/2005 1:38 PM 99360]
S3 Gcr432;Gcr432;c:\windows\system32\drivers\Gcr432.sys [9/6/2001 1:05 PM 89371]
S3 hwi4857;Duo Digital Media Player;c:\windows\system32\drivers\hwi4857.sys [1/31/2003 9:29 PM 10532]
S3 Otis;Audible Otis Service;c:\windows\system32\drivers\OtisPlay.sys [3/8/2003 7:26 AM 9472]
S3 PortRst;BaromTec HMS30C6001 Reset Driver;c:\windows\system32\drivers\PortRST.sys [1/29/2002 5:33 PM 12721]
S4 mrtRate;mrtRate;c:\windows\system32\drivers\MrtRate.sys [4/28/2002 1:25 PM 36404]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder
2009-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
2001-12-26 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-12-13 07:56]
2001-12-26 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2001-12-13 07:56]
2009-11-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-25 17:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.lesliehale.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Search &Dictionary - c:\program files\Lexico\Toolbar\dictionary.htm
IE: Search &Thesaurus - c:\program files\Lexico\Toolbar\thesaurus.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxp://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/01017a2d3f98e0e93b21/netzip/RdxIE601.cab
DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
DPF: {F6676623-8BBD-479C-A51B-05868728708C} - hxxp://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
.
- - - - ORPHANS REMOVED - - - -
BHO-{5f414075-a602-4ca4-a231-4b799c981ba4} - fakugupu.dll
HKLM-Run-BJCFD - c:\program files\BroadJump\Client Foundation\CFD.exe
HKLM-Run-WorksFUD - (no file)
SharedTaskScheduler-{3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll
SSODL-goyuvukiz-{3b1a9b0d-05ca-4288-a290-622f7cdd4881} - c:\windows\system32\pogobiwu.dll
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 19:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(3368)
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Tech\Wheel Mouse\5.0\MOUDL32A.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\System32\SCardSvr.exe
c:\windows\System32\PackethSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\drivers\CDAC11BA.EXE
c:\program files\Compaq\Compaq Advisor\bin\compaq-rba.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\program files\Compaq\Easy Access Button Support\CPQEADM.EXE
c:\compaq\CPQINET\CPQInet.exe
c:\compaq\EAKDRV\EAUSBKBD.EXE
c:\progra~1\Compaq\EASYAC~1\BttnServ.exe
c:\program files\Dell AIO Printer A920\dlbkbmon.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Compaq\COMPAQ~1\bin\nda.exe
.
**************************************************************************
.
Completion time: 2009-11-05 20:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 01:36
Pre-Run: 23,978,127,360 bytes free
Post-Run: 25,562,042,368 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
Just let me know what you want me to do next, if anything. Have a good one!
By the way, I just ran another quick scan with malwarebytes and this is the log. It still caught some adware but I am guessing that has something to do with the REAL bar. Not sure how it showed up but its there. Any ideas on how to get rid of it? Thanks
Malwarebytes' Anti-Malware 1.41
Database version: 3098
Windows 5.1.2600 Service Pack 2
11/4/2009 9:03:55 PM
mbam-log-2009-11-04 (21-03-55).txt
Scan type: Quick Scan
Objects scanned: 139045
Time elapsed: 13 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble16.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\celebs.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\gotb.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\highlight.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuff.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuffsm.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\movies.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\music.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\news.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ngames.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\radio.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\REALBARTB0115.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\rollingstone.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\sports.bmp (Adware.2020search) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.41
Database version: 3098
Windows 5.1.2600 Service Pack 2
11/4/2009 9:03:55 PM
mbam-log-2009-11-04 (21-03-55).txt
Scan type: Quick Scan
Objects scanned: 139045
Time elapsed: 13 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 15
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache (Adware.2020search) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\bubble16.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\celebs.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\gotb.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\highlight.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuff.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\hotstuffsm.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\movies.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\music.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\news.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\ngames.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\radio.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\REALBARTB0115.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\rollingstone.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\REALBAR\Cache\sports.bmp (Adware.2020search) -> Quarantined and deleted successfully.
Hi johnnyt,
Looking much better, please do the following….
OTM by OldTimer
Please download OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..
===============================================
You have some leftovers from Norton still running, so lets get rid of them…
Norton Removal Tool
Please visit Symantec support by clicking HERE
Choose the Norton product you had installed.
Then follow the steps listed on the page that opens.
===============================================
ATF Cleaner
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================
Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.
===============================================
Needed in your next reply
OTM log
Kaspersky WebScanner results
Fresh HijackThis log
And as always let me know how things are running
Looking much better, please do the following….
OTM by OldTimer
Please download OTM
- Save it to your desktop.
- Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):CODE:Processes
explorer.exe
:Services
:Reg
:Files
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
:Commands
[purity]
[emptytemp]
[Reboot] - Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..
===============================================
You have some leftovers from Norton still running, so lets get rid of them…
Norton Removal Tool
Please visit Symantec support by clicking HERE
Choose the Norton product you had installed.
Then follow the steps listed on the page that opens.
===============================================
ATF Cleaner
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
- Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
- Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
===============================================
Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.
- Read through the requirements and privacy statement and click on Accept button.
- It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
- When the downloads have finished, click on Settings.
- Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases - Click on My Computer under Scan.
- Once the scan is complete, it will display the results. Click on View Scan Report.
- You will see a list of infected items there. Click on Save Report As....
- Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
- Please post this log in your next reply.
===============================================
Needed in your next reply
OTM log
Kaspersky WebScanner results
Fresh HijackThis log
And as always let me know how things are running
Hi BHowett,
I just wanted to let you know that I have done all that you asked in the previous post EXCEPT the online scan. I ran it twice and each time is just stopped scanning. The first time after about 3 hours! I ran it again and it lasted about 50 minutes and then stopped. I knew it stopped because the time counter stopped. Anyhow, I'm going to run it again today and post the log as soon as it finishes (I hope). I am copying the other 2 logs you asked for.
OTM log:
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Catherine
->Temp folder emptied: 2064562 bytes
->Temporary Internet Files folder emptied: 45916225 bytes
->Java cache emptied: 140982071 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: John Tomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: johntomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 1405131 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 49286 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: tomasijo
User: User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1143523 bytes
%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 1119049 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 183.79 mb
OTM by OldTimer - Version 3.0.0.6 log created on 11052009_115531
Files moved on Reboot...
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:14 AM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\system32\Smtray.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: office.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com
O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
--
End of file - 13900 bytes
So far everything is still running great. Shutdown last night was a little weird but I figured that may have had something to do with the online scan.
Thanks
I just wanted to let you know that I have done all that you asked in the previous post EXCEPT the online scan. I ran it twice and each time is just stopped scanning. The first time after about 3 hours! I ran it again and it lasted about 50 minutes and then stopped. I knew it stopped because the time counter stopped. Anyhow, I'm going to run it again today and post the log as soon as it finishes (I hope). I am copying the other 2 logs you asked for.
OTM log:
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Catherine
->Temp folder emptied: 2064562 bytes
->Temporary Internet Files folder emptied: 45916225 bytes
->Java cache emptied: 140982071 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: John Tomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: johntomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 1405131 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 49286 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: tomasijo
User: User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1143523 bytes
%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 1119049 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
Windows Temp folder emptied: 664 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 183.79 mb
OTM by OldTimer - Version 3.0.0.6 log created on 11052009_115531
Files moved on Reboot...
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
Registry entries deleted on Reboot...
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:14 AM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\system32\Smtray.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: office.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com
O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
--
End of file - 13900 bytes
So far everything is still running great. Shutdown last night was a little weird but I figured that may have had something to do with the online scan.
Thanks
Hello again,
yeah sometimes the online scans don't want to play right lets do the following...
Fix with HijackThis
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: office.exe
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
===============================================
OTM by OldTimer
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..
===============================================
Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Upgrading Java:
===============================================
Now try the Kaspersky WebScanner, please post the OTM log, Fresh HijackThis log, and Kaspersky WebScanner results in your next reply
yeah sometimes the online scans don't want to play right
lets do the following...Fix with HijackThis
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: office.exe
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
===============================================
OTM by OldTimer
- Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):CODE:Processes
explorer.exe
:Services
:Reg
:Files
C:\Program Files\AskBarDis
C:\Program Files\Common Files\Real\Toolbar
C:\Program files\Lexico
:Commands
[purity]
[emptytemp]
[Reboot] - Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
- Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post..
===============================================
Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Upgrading Java:
- Download the latest version of Java Runtime Environment (JRE) 6 Update 17.
- Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
- Click the "Download" button to the right.
- Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
- Click on Continue.
- Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java version.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on the download to install the newest version.
===============================================
Now try the Kaspersky WebScanner, please post the OTM log, Fresh HijackThis log, and Kaspersky WebScanner results in your next reply
Well, I've tried 3 more times to get the Kaspersky online scan to work and each time it hangs up. This time around 40-50 minutes into the scan. In case it is important, it hangs up after finding 1 suspicious item and 1 threat. The point it seems to hang up is when it is checking my Outlook Express mail. This info may be meaningless but I thought I would pass it on. By the way, I did all of the other things you suggested including removing old Java stuff and upgrading to the version you suggested. I am posting the latest Hijackthis and OTM logs.
Fresh Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:40 PM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com
O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
--
End of file - 13117 bytes
And latest OTM log:
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\AskBarDis\bar\Settings moved successfully.
C:\Program Files\AskBarDis\bar\History moved successfully.
C:\Program Files\AskBarDis\bar\Cache moved successfully.
C:\Program Files\AskBarDis\bar\bin moved successfully.
C:\Program Files\AskBarDis\bar moved successfully.
C:\Program Files\AskBarDis moved successfully.
C:\Program Files\Common Files\Real\Toolbar moved successfully.
C:\Program files\Lexico\Toolbar moved successfully.
C:\Program files\Lexico moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Catherine
->Temp folder emptied: 101620585 bytes
->Temporary Internet Files folder emptied: 58711902 bytes
->Java cache emptied: 128020 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: John Tomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: johntomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: tomasijo
User: User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 41624 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 153.10 mb
OTM by OldTimer - Version 3.0.0.6 log created on 11062009_094143
Files moved on Reboot...
Registry entries deleted on Reboot...
Should I keep trying the Kaspersky online scan until it goes all the way through?
Fresh Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:40 PM, on 11/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\system32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DateInTray\DateInTray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lesliehale.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/Pl...p;p_vendor_tag=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - (no file)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lexbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\Wheel Mouse\5.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\newone.exe" /runcleanupscript
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] C:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DateInTray.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .nwc: C:\Program Files\NoteWorthy Software\NWC Browser Plugin\npnwcw32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: vzTCPConfig - http://www.verizon.net/checkmypc/includes/vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.genisar.com/files/genplug60.cab
O16 - DPF: {288451AE-BE24-4216-B946-8600E0498584} (DASWebShop Class) - http://das.microsoft.com/activate/cab/x86/...tail/DASAct.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/01017a2d3f98e0...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {72944257-0AE0-44FD-8A51-AA21853092C8} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.server.recordtranscripts.com/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejewel...aploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livesc03.rightnowtech.com/audible/a...l/java/RntX.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://reports.jud11.flcourts.org/viewer/a...tivexviewer.cab
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708C} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/c/DIGITALDM2.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = rtitampa.com
O17 - HKLM\Software\..\Telephony: DomainName = rtitampa.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = rtitampa.com
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
--
End of file - 13117 bytes
And latest OTM log:
All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\Program Files\AskBarDis\bar\Settings moved successfully.
C:\Program Files\AskBarDis\bar\History moved successfully.
C:\Program Files\AskBarDis\bar\Cache moved successfully.
C:\Program Files\AskBarDis\bar\bin moved successfully.
C:\Program Files\AskBarDis\bar moved successfully.
C:\Program Files\AskBarDis moved successfully.
C:\Program Files\Common Files\Real\Toolbar moved successfully.
C:\Program files\Lexico\Toolbar moved successfully.
C:\Program files\Lexico moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Catherine
->Temp folder emptied: 101620585 bytes
->Temporary Internet Files folder emptied: 58711902 bytes
->Java cache emptied: 128020 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: John Tomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: johntomasi
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Owner
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: tomasijo
User: User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 41624 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 153.10 mb
OTM by OldTimer - Version 3.0.0.6 log created on 11062009_094143
Files moved on Reboot...
Registry entries deleted on Reboot...
Should I keep trying the Kaspersky online scan until it goes all the way through?
QUOTE
Should I keep trying the Kaspersky online scan until it goes all the way through?
No I think its a problem with Kaspersky, since I have other users that can't get it to work either. We can try something diffrent.....
Please go HERE to run Panda's ActiveScan
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on My Computer to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Okay that one did the trick. Here is the log:
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2009-11-06 22:46:26
PROTECTIONS: 1
MALWARE: 33
SUSPECTS: 2
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AntiVir Desktop 9.0.1.32 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00096188 spyware/searchcentrix Spyware No 1 Yes No hkey_current_user\software\dynamic toolbar
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@atdmt[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@mediaplex[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@advertising[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\user\application data\mozilla\profiles\default\gruwvscv.slt\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@questionmarket[2].txt
00327373 Adware/ZapSpot Adware No 0 Yes No c:\documents and settings\user\application data\zapspot\system\etc\p3ofrmgr.exe
00327375 Adware/ZapSpot Adware No 0 Yes No c:\documents and settings\user\application data\zapspot\zapspot.exe
00527204 Application/PRScheduler HackTools No 0 Yes No c:\documents and settings\user\start menu\programs\startup\powerreg scheduler v3.exe
00527204 Application/PRScheduler HackTools No 0 Yes No c:\program files\trend micro\hijackthis\backups\backup-20091106-093813-913-powerreg scheduler v3.exe
00527204 Application/PRScheduler HackTools No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1761\a0123670.exe
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\jestertb.dll.vir
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123364.dll
00816208 Adware/eZula Adware No 0 Yes No c:\windows\system32\macromed\shockwave 8\xtras\download\thegroovealliance\3dgroovextrav18\groove.x32
00966839 Spyware/Virtumonde Spyware No 1 Yes No c:\program files\viewpoint\viewpoint media player\components\swfview.dll
01692698 Generic Malware Virus/Trojan No 0 Yes No c:\documents and settings\catherine\application data\macromedia\shockwave player\xtras\download\thegroovealliance\3dgroovextrav181\groove.x32
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123381.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123373.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\bezayedo.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\jijejamu.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pilipeho.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pogobiwu.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123366.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123370.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122918.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123297.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123230.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122897.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122898.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122899.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122946.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1755\a0122959.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122907.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123294.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123372.dll
05513284 Generic Malware Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122916.exe
05556201 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122945.dll
05561639 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123296.dll
05574594 Trj/KillAV.FJ Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123282.dll
05580568 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\bitoduze.dll.vir
05580568 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123367.dll
05580619 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\tesavohi.dll.vir
05580619 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123374.dll
05581703 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123295.dll
05583456 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123371.dll
05583456 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\mupapupe.dll.vir
05584138 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122947.dll
05585794 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\qoobox\quarantine\c\windows\system32\jifetahi.dll.vir
05585794 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123369.dll
05586992 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123283.dll
05587894 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123334.dll
05593361 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123302.dll
05594594 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123292.dll
05595149 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\hefihiru.dll.vir
05595149 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123368.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No c:\program files\electronic arts\need for speed - porsche unleashed\porsche.exe
No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123335.dll
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212490 HIGH MS09-038
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
206981 HIGH MS09-007
206980 HIGH MS09-006
204670 HIGH MS09-001
203806 HIGH MS08-078
203508 HIGH MS08-073
203505 HIGH MS08-071
202465 HIGH MS08-068
201683 HIGH MS08-067
201258 HIGH MS08-066
201256 HIGH MS08-064
201255 HIGH MS08-063
201253 HIGH MS08-061
201250 HIGH MS08-058
209275 HIGH MS08-049
209273 HIGH MS08-045
196455 MEDIUM MS08-037
194862 HIGH MS08-032
194861 HIGH MS08-031
194860 HIGH MS08-030
191618 HIGH MS08-025
191617 HIGH MS08-024
191616 HIGH MS08-023
191614 HIGH MS08-021
191613 HIGH MS08-020
;===============================================================================
=================================================================================
===================
I'll await your next set of instructions.
Have a good night.
;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2009-11-06 22:46:26
PROTECTIONS: 1
MALWARE: 33
SUSPECTS: 2
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AntiVir Desktop 9.0.1.32 No No
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00096188 spyware/searchcentrix Spyware No 1 Yes No hkey_current_user\software\dynamic toolbar
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@atdmt[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@mediaplex[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@ad.yieldmanager[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@advertising[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\user\application data\mozilla\profiles\default\gruwvscv.slt\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\catherine\cookies\catherine@questionmarket[2].txt
00327373 Adware/ZapSpot Adware No 0 Yes No c:\documents and settings\user\application data\zapspot\system\etc\p3ofrmgr.exe
00327375 Adware/ZapSpot Adware No 0 Yes No c:\documents and settings\user\application data\zapspot\zapspot.exe
00527204 Application/PRScheduler HackTools No 0 Yes No c:\documents and settings\user\start menu\programs\startup\powerreg scheduler v3.exe
00527204 Application/PRScheduler HackTools No 0 Yes No c:\program files\trend micro\hijackthis\backups\backup-20091106-093813-913-powerreg scheduler v3.exe
00527204 Application/PRScheduler HackTools No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1761\a0123670.exe
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\jestertb.dll.vir
00538294 Trj/Agent.LIZ Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123364.dll
00816208 Adware/eZula Adware No 0 Yes No c:\windows\system32\macromed\shockwave 8\xtras\download\thegroovealliance\3dgroovextrav18\groove.x32
00966839 Spyware/Virtumonde Spyware No 1 Yes No c:\program files\viewpoint\viewpoint media player\components\swfview.dll
01692698 Generic Malware Virus/Trojan No 0 Yes No c:\documents and settings\catherine\application data\macromedia\shockwave player\xtras\download\thegroovealliance\3dgroovextrav181\groove.x32
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123381.sys
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123373.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\bezayedo.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\jijejamu.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pilipeho.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\pogobiwu.dll.vir
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123366.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123370.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122918.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123297.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123230.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122897.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122898.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1753\a0122899.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122946.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1755\a0122959.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122907.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123294.dll
03074964 Trj/CI.A Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123372.dll
05513284 Generic Malware Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122916.exe
05556201 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122945.dll
05561639 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123296.dll
05574594 Trj/KillAV.FJ Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123282.dll
05580568 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\bitoduze.dll.vir
05580568 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123367.dll
05580619 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\tesavohi.dll.vir
05580619 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123374.dll
05581703 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123295.dll
05583456 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123371.dll
05583456 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\mupapupe.dll.vir
05584138 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1754\a0122947.dll
05585794 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\qoobox\quarantine\c\windows\system32\jifetahi.dll.vir
05585794 Trj/Zlob.KH Virus/Trojan No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123369.dll
05586992 Spyware/Virtumonde Spyware No 1 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123283.dll
05587894 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123334.dll
05593361 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123302.dll
05594594 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1758\a0123292.dll
05595149 Generic Trojan Virus/Trojan No 0 Yes No c:\qoobox\quarantine\c\windows\system32\hefihiru.dll.vir
05595149 Generic Trojan Virus/Trojan No 0 Yes No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1760\a0123368.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
No c:\program files\electronic arts\need for speed - porsche unleashed\porsche.exe
No c:\system volume information\_restore{9b63db6c-09c2-4f05-879c-deb19a86ef40}\rp1759\a0123335.dll
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
214076 HIGH MS09-059
971486 HIGH MS09-058
214074 HIGH MS09-057
214073 HIGH MS09-056
214072 HIGH MS09-055
214071 HIGH MS09-054
213109 HIGH MS09-046
212494 HIGH MS09-042
212493 HIGH MS09-041
212490 HIGH MS09-038
212530 HIGH MS09-034
211784 HIGH MS09-032
211781 HIGH MS09-029
210625 HIGH MS09-026
210624 HIGH MS09-025
210621 HIGH MS09-022
210618 HIGH MS09-019
208380 HIGH MS09-015
208379 HIGH MS09-014
208378 HIGH MS09-013
208377 HIGH MS09-012
206981 HIGH MS09-007
206980 HIGH MS09-006
204670 HIGH MS09-001
203806 HIGH MS08-078
203508 HIGH MS08-073
203505 HIGH MS08-071
202465 HIGH MS08-068
201683 HIGH MS08-067
201258 HIGH MS08-066
201256 HIGH MS08-064
201255 HIGH MS08-063
201253 HIGH MS08-061
201250 HIGH MS08-058
209275 HIGH MS08-049
209273 HIGH MS08-045
196455 MEDIUM MS08-037
194862 HIGH MS08-032
194861 HIGH MS08-031
194860 HIGH MS08-030
191618 HIGH MS08-025
191617 HIGH MS08-024
191616 HIGH MS08-023
191614 HIGH MS08-021
191613 HIGH MS08-020
;===============================================================================
=================================================================================
===================
I'll await your next set of instructions.
Have a good night.
Hi johnnyt,
Well done, your log appears clean... the only bad things found are already in quarantine or system restore, and the next step will take care of cleaning those out.
Now lets uninstall Combofix:
===============================================
Click Here to download OTC
Double-click OTC.exe to run it.
Click the Clean up button
Click Yes to the reboot.
Now delete any logs that you have left over on your desktop.
===============================================
For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.
To find out more information about how you got infected in the first place, you can read this article.
===============================================
Follow this list and your potential for being infected again will reduce dramatically.
Thanks for letting us help you!
Well done, your log appears clean... the only bad things found are already in quarantine or system restore, and the next step will take care of cleaning those out.
Now lets uninstall Combofix:
- Click START then RUN
- Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
===============================================
Click Here to download OTC
Double-click OTC.exe to run it.
Click the Clean up button
Click Yes to the reboot.
Now delete any logs that you have left over on your desktop.
===============================================
For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.
To find out more information about how you got infected in the first place, you can read this article.
===============================================
Follow this list and your potential for being infected again will reduce dramatically.
Thanks for letting us help you!
I can't thank you enough BHowett. You have been courteous, patient, and very helpful. I thought I had a disaster on my hand and you handled with confidence and speed. I dropped a little donation into your account. It's small but my thanks are big. Have a good weekend!
thank you so much, and let me know if you ever need anything else.
Happy surfing
Happy surfing
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.