Need help with Win32 worm and other infections [Solved]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

3 Pages

1 2 3 >

Need help with Win32 worm and other infections [Solved]

Options

hammerman View Member Profile	Jun 26 2009, 12:31 AM Post #2
Trusted Helper Posts: 1,259 From: UK OS: XP	Hello gmanfan and welcome to GeeksToGo. I'm hammerman and I'm going to help you fix your problem. Please note that I am still in training and my replies need to be checked by an expert. This means there may be a small delay between my posts. Please bear with me. I am looking through your log now and will reply as soon as possible. Before we begin, I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.

gmanfan View Member Profile	Jun 26 2009, 06:38 AM Post #3
Member Posts: 70 From: Florida OS: XP Media Edition	I will be anxiously awaiting your discoveries!

hammerman View Member Profile	Jun 26 2009, 11:38 AM Post #4
Trusted Helper Posts: 1,259 From: UK OS: XP	Hi gmanfan, Can you please carry out the following steps. -- Step 1 -- Run OTL Under the Custom Scans/Fixes box at the bottom, paste in the following CODE :OTL PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O4 - HKLM..\Run: [DXDllRegExe] File not found O20 - AppInit_DLLs: (vtskbp.dll) - File not found O20 - AppInit_DLLs: (c:\windows\system32\zemidoko.dll) - C:\WINDOWS\System32\zemidoko.dll File not found O20 - AppInit_DLLs: (C:\WINDOWS\system32\kefufaji.dll) - C:\WINDOWS\System32\kefufaji.dll File not found O33 - MountPoints2\E\Shell - "" = AutoRun O33 - MountPoints2\E\Shell\AutoRun - "" = Auto&Play O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found [2099/01/01 12:00:00 \| 00,011,168 \| -H-- \| C] () -- C:\WINDOWS\System32\doduruja [2009/03/27 23:58:39 \| 03,290,783 \| -HS- \| C] () -- C:\WINDOWS\System32\ovekegut.ini [2008/12/24 12:49:33 \| 01,661,209 \| -HS- \| C] () -- C:\WINDOWS\System32\esfqypmx.ini [2008/12/23 12:46:03 \| 01,661,209 \| -HS- \| C] () -- C:\WINDOWS\System32\winnafgw.ini :Services :Reg :Files C:\WINDOWS\Tasks\xdaljiuo.job :Commands [purity] [emptytemp] [start explorer] [Reboot] Then click the Run Fix button at the top Let the program run unhindered, reboot when it is done Then post a new OTL2 log -- Step 2 -- Please do an online scan with Kaspersky WebScanner Click on Accept You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post.

gmanfan View Member Profile	Jun 26 2009, 02:28 PM Post #5
Member Posts: 70 From: Florida OS: XP Media Edition	Again, thanks so much. Here you go: OTL: OTL logfile created on: 6/26/2009 1:50:13 PM - Run 2 OTL by OldTimer - Version 3.0.5.3 Folder = C:\Documents and Settings\Brittany\Desktop Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation Internet Explorer (Version = 7.0.5730.13) Locale: 00000409 \| Country: United States \| Language: ENU \| Date Format: M/d/yyyy 1014.37 Mb Total Physical Memory \| 562.24 Mb Available Physical Memory \| 55.43% Memory free 2.38 Gb Paging File \| 2.03 Gb Available in Paging File \| 85.01% Paging File free Paging file location(s): C:\pagefile.sys 1524 3048 [binary data] %SystemDrive% = C: \| %SystemRoot% = C:\WINDOWS \| %ProgramFiles% = C:\Program Files Drive C: \| 32.37 Gb Total Space \| 15.43 Gb Free Space \| 47.68% Space Free \| Partition Type: NTFS D: Drive not present or media not loaded E: Drive not present or media not loaded F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: DCTWMR91 Current User Name: Brittany Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: On Skip Microsoft Files: Off File Age = 30 Days Output = Minimal ========== Processes (SafeList) ========== PRC - C:\WINDOWS\System32\WLTRYSVC.EXE () PRC - C:\WINDOWS\System32\bcmwltry.exe (Dell Inc.) PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software) PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation) PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.) PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) PRC - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (Dell Inc.) PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.) PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation) PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software) PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software) PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation) PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation) PRC - C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.) PRC - C:\WINDOWS\System32\igfxsrvc.exe (Intel Corporation) PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) PRC - C:\WINDOWS\System32\dla\tfswctrl.exe (Sonic Solutions) PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) PRC - C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) PRC - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) PRC - C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (Uniblue Software) PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software) PRC - C:\Program Files\Dell Support Center\gs_agent\dsc.exe (SupportSoft, Inc.) PRC - C:\WINDOWS\System32\wbem\wmiprvse.exe (Microsoft Corporation) PRC - C:\Documents and Settings\Brittany\Desktop\OTL.exe (OldTimer Tools) ========== Win32 Services (SafeList) ========== SRV - (Apple Mobile Device [Auto \| Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.) SRV - (aspnet_state [On_Demand \| Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (Microsoft Corporation) SRV - (aswUpdSv [Auto \| Running]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software) SRV - (avast! Antivirus [Auto \| Running]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software) SRV - (avast! Mail Scanner [On_Demand \| Running]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software) SRV - (avast! Web Scanner [On_Demand \| Running]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software) SRV - (Bonjour Service [Auto \| Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.) SRV - (DSBrokerService [On_Demand \| Stopped]) -- C:\Program Files\DellSupport\brkrsvc.exe () SRV - (gusvc [Auto \| Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google) SRV - (helpsvc [Auto \| Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation) SRV - (iPod Service [On_Demand \| Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.) SRV - (JavaQuickStarterService [Auto \| Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.) SRV - (NICCONFIGSVC [Auto \| Running]) -- C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe (Dell Inc.) SRV - (ose [On_Demand \| Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation) SRV - (Pml Driver HPZ12 [On_Demand \| Stopped]) -- C:\WINDOWS\System32\HPZipm12.exe (HP) SRV - (sprtsvc_dellsupportcenter [Auto \| Running]) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.) SRV - (UMWdf [Auto \| Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation) SRV - (wltrysvc [Auto \| Running]) -- C:\WINDOWS\System32\WLTRYSVC.EXE () ========== Driver Services (SafeList) ========== DRV - (Aavmker4 [System \| Running]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software) DRV - (AFS2K [System \| Running]) -- C:\WINDOWS\System32\drivers\AFS2K.SYS (Oak Technology Inc.) DRV - (AliIde [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.) DRV - (amdagp [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.) DRV - (APPDRV [System \| Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS (Dell Inc) DRV - (asc [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.) DRV - (asc3550 [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.) DRV - (aswFsBlk [Auto \| Running]) -- C:\WINDOWS\System32\DRIVERS\aswFsBlk.sys (ALWIL Software) DRV - (aswMon2 [Auto \| Running]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software) DRV - (aswRdr [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software) DRV - (aswSP [System \| Running]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software) DRV - (aswTdi [System \| Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software) DRV - (BCM43XX [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\bcmwl5.sys (Broadcom Corporation) DRV - (bcm4sbxp [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation) DRV - (CmdIde [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.) DRV - (dac2w2k [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation) DRV - (drvmcdb [Boot \| Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions) DRV - (drvnddm [Auto \| Running]) -- C:\WINDOWS\System32\drivers\drvnddm.sys (Sonic Solutions) DRV - (DSproct [On_Demand \| Stopped]) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys (Gteko Ltd.) DRV - (dsunidrv [Auto \| Running]) -- C:\WINDOWS\System32\DRIVERS\dsunidrv.sys (Gteko Ltd.) DRV - (E100B [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation) DRV - (GEARAspiWDM [On_Demand \| Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.) DRV - (HDAudBus [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider) DRV - (HPZid412 [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys (HP) DRV - (HPZipr12 [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys (HP) DRV - (HPZius12 [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys (HP) DRV - (HSFHWAZL [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys (Conexant Systems, Inc.) DRV - (HSF_DPV [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.) DRV - (ialm [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation) DRV - (mdmxsdk [Auto \| Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant) DRV - (mraid35x [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.) DRV - (nv [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation) DRV - (omci [System \| Running]) -- C:\WINDOWS\System32\DRIVERS\omci.sys (Dell Inc) DRV - (Ptilink [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.) DRV - (PxHelp20 [Boot \| Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions) DRV - (ql1080 [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation) DRV - (ql12160 [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation) DRV - (ql1280 [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation) DRV - (rimmptsk [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\rimmptsk.sys (REDC) DRV - (rimsptsk [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\rimsptsk.sys (REDC) DRV - (rismxdp [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\rixdptsk.sys (REDC) DRV - (Secdrv [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) DRV - (sisagp [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation) DRV - (Sparrow [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.) DRV - (sscdbhk5 [System \| Running]) -- C:\WINDOWS\System32\drivers\sscdbhk5.sys (Sonic Solutions) DRV - (ssrtln [System \| Running]) -- C:\WINDOWS\System32\drivers\ssrtln.sys (Sonic Solutions) DRV - (STHDA [On_Demand \| Running]) -- C:\WINDOWS\System32\drivers\sthda.sys (SigmaTel, Inc.) DRV - (symc810 [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.) DRV - (symc8xx [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic) DRV - (sym_hi [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic) DRV - (sym_u3 [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic) DRV - (SynTP [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\SynTP.sys (Synaptics, Inc.) DRV - (tfsnboio [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsnboio.sys (Sonic Solutions) DRV - (tfsncofs [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsncofs.sys (Sonic Solutions) DRV - (tfsndrct [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsndrct.sys (Sonic Solutions) DRV - (tfsndres [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsndres.sys (Sonic Solutions) DRV - (tfsnifs [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsnifs.sys (Sonic Solutions) DRV - (tfsnopio [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsnopio.sys (Sonic Solutions) DRV - (tfsnpool [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsnpool.sys (Sonic Solutions) DRV - (tfsnudf [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsnudf.sys (Sonic Solutions) DRV - (tfsnudfa [Auto \| Running]) -- C:\WINDOWS\System32\dla\tfsnudfa.sys (Sonic Solutions) DRV - (ultra [Disabled \| Stopped]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.) DRV - (USBAAPL [On_Demand \| Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.) DRV - (V0330VID [On_Demand \| Stopped]) -- C:\WINDOWS\System32\DRIVERS\V0330Vid.sys (Creative Technology Ltd.) DRV - (winachsf [On_Demand \| Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data] IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = .local FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2009/01/30 14:08:17 \| 00,000,000 \| ---D \| M] FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2008/12/22 10:55:40 \| 00,000,000 \| ---D \| M] O1 HOSTS File: (0 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.) O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.) O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.) O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software) O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\System32\WLTRAY.exe (Dell Inc.) O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) O4 - HKLM..\Run: [dla] C:\WINDOWS\System32\dla\tfswctrl.exe (Sonic Solutions) O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( ) O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation) O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation) O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation) O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.) O4 - HKLM..\Run: [ShowLOMControl] Reg Error: Invalid data type. File not found O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.) O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.) O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.) O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.) O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.) O4 - HKCU..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe (Uniblue Software) O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software) O4 - Startup: C:\Documents and Settings\Brittany\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE () O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext = O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1 O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0 O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskmgr = 0 O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation) O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation) O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation) O15 - HKLM\..Trusted Domains: musicmatch.com ([online] https in Trusted sites) O15 - HKLM\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone. O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control) O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support) O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} http://www.pogo.com/cdl/launcher/PogoWebLa...erInstaller.CAB (PogoWebLauncher Control) O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.) O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia) O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} http://lads.myspace.com/upload/MySpaceUploader1006.cab (MySpace Uploader Control) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1209306167309 (WUWebControl Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_14) O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} http://keyboarding.emcp.com/Resources/Component/cads.CAB (Zeus Learning::. Complex Application Distribution System Control (CADS)) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 65.32.5.111 65.32.5.112 O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company) O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\ipp - No CLSID value found O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp - No CLSID value found O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation) O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation) O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation) O24 - Desktop Components:0 (My Current Home Page) - About:Home O31 - SafeBoot: AlternateShell - cmd.exe O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2004/08/10 14:04:08 \| 00,000,000 \| ---- \| M] () - C:\AUTOEXEC.BAT -- [ NTFS ] O34 - HKLM BootExecute: (autocheck) - File not found O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation) O34 - HKLM BootExecute: () - File not found ========== Files/Folders - Created Within 30 Days ========== [2009/06/26 13:47:43 \| 00,000,000 \| ---D \| C] -- C:\_OTL [2009/06/26 13:46:06 \| 00,513,536 \| ---- \| C] (OldTimer Tools) -- C:\Documents and Settings\Brittany\Desktop\OTL.exe [2009/06/25 17:05:56 \| 00,000,000 \| ---D \| C] -- C:\Documents and Settings\Brittany\Desktop\virus check stuff [2009/06/24 22:19:11 \| 23,635,392 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe [2009/06/24 22:15:22 \| 00,473,600 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll [2009/06/24 22:15:22 \| 00,401,408 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll [2009/06/24 22:15:22 \| 00,284,160 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll [2009/06/24 22:15:22 \| 00,110,592 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe [2009/06/24 22:15:22 \| 00,035,328 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\sc.exe [2009/06/24 22:15:21 \| 00,729,088 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll [2009/06/24 22:15:21 \| 00,714,752 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll [2009/06/24 22:15:21 \| 00,617,472 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll [2009/06/24 22:15:21 \| 00,453,120 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll [2009/06/24 22:15:21 \| 00,227,840 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe [2009/06/24 21:45:34 \| 01,203,922 \| ---- \| C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb [2009/06/24 21:45:34 \| 00,215,552 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe [2009/06/24 21:45:34 \| 00,002,560 \| ---- \| C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll [2009/06/24 21:41:04 \| 00,000,000 \| ---D \| C] -- C:\WINDOWS\ERDNT [2009/06/24 21:40:55 \| 00,000,767 \| ---- \| C] () -- C:\Documents and Settings\Brittany\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2009/06/24 21:40:47 \| 00,000,000 \| ---D \| C] -- C:\Program Files\ERUNT [2009/03/26 19:20:36 \| 00,000,035 \| ---- \| C] () -- C:\WINDOWS\Blink.ini [2008/09/02 14:26:28 \| 00,565,248 \| R--- \| C] () -- C:\WINDOWS\System32\hpotscl.dll [2008/04/28 17:07:14 \| 00,000,376 \| ---- \| C] () -- C:\WINDOWS\ODBC.INI [2008/04/28 15:29:35 \| 00,000,002 \| ---- \| C] () -- C:\WINDOWS\msoffice.ini [2008/04/28 12:41:52 \| 00,000,008 \| RHS- \| C] () -- C:\WINDOWS\System32\D99A0CB7E2.sys [2008/04/28 12:41:51 \| 00,002,828 \| -HS- \| C] () -- C:\WINDOWS\System32\KGyGaAvL.sys [2006/05/03 23:56:46 \| 00,000,061 \| ---- \| C] () -- C:\WINDOWS\smscfg.ini [2006/05/03 23:45:16 \| 00,000,138 \| ---- \| C] () -- C:\WINDOWS\wininit.ini [2006/05/03 23:09:22 \| 00,016,480 \| ---- \| C] () -- C:\WINDOWS\System32\rixdicon.dll [2006/05/03 23:09:12 \| 00,086,016 \| ---- \| C] () -- C:\WINDOWS\System32\preflib.dll [2006/05/03 23:09:06 \| 00,757,760 \| ---- \| C] () -- C:\WINDOWS\System32\bcm1xsup.dll [2006/05/03 23:09:04 \| 00,000,391 \| ---- \| C] () -- C:\WINDOWS\System32\OEMINFO.INI [2005/04/09 18:04:54 \| 00,000,000 \| ---- \| C] () -- C:\WINDOWS\System32\px.ini [2004/08/10 14:12:05 \| 00,000,780 \| ---- \| C] () -- C:\WINDOWS\orun32.ini [2004/08/10 14:01:18 \| 00,001,793 \| ---- \| C] () -- C:\WINDOWS\System32\fxsperf.ini [2004/08/10 13:51:28 \| 00,000,628 \| ---- \| C] () -- C:\WINDOWS\win.ini [2004/08/10 13:51:26 \| 00,000,231 \| ---- \| C] () -- C:\WINDOWS\system.ini [2003/01/07 15:05:08 \| 00,002,695 \| ---- \| C] () -- C:\WINDOWS\System32\OUTLPERF.INI ========== Files - Modified Within 30 Days ========== [2009/06/26 13:49:20 \| 00,000,868 \| ---- \| M] () -- C:\WINDOWS\tasks\Google Software Updater.job [2009/06/26 13:49:08 \| 00,000,006 \| -H-- \| M] () -- C:\WINDOWS\tasks\SA.DAT [2009/06/26 13:49:03 \| 00,002,048 \| --S- \| M] () -- C:\WINDOWS\bootstat.dat [2009/06/26 13:46:13 \| 00,513,536 \| ---- \| M] (OldTimer Tools) -- C:\Documents and Settings\Brittany\Desktop\OTL.exe [2009/06/25 13:52:23 \| 00,441,626 \| ---- \| M] () -- C:\WINDOWS\System32\PerfStringBackup.INI [2009/06/25 13:52:23 \| 00,382,260 \| ---- \| M] () -- C:\WINDOWS\System32\perfh009.dat [2009/06/25 13:52:23 \| 00,053,838 \| ---- \| M] () -- C:\WINDOWS\System32\perfc009.dat [2009/06/24 22:34:18 \| 00,152,384 \| ---- \| M] () -- C:\WINDOWS\System32\FNTCACHE.DAT [2009/06/24 22:33:20 \| 04,836,060 \| -H-- \| M] () -- C:\Documents and Settings\Brittany\Local Settings\Application Data\IconCache.db [2009/06/24 22:21:25 \| 00,001,374 \| ---- \| M] () -- C:\WINDOWS\imsins.BAK [2009/06/24 21:56:05 \| 00,002,206 \| ---- \| M] () -- C:\WINDOWS\System32\wpa.dbl [2009/06/24 21:40:55 \| 00,000,767 \| ---- \| M] () -- C:\Documents and Settings\Brittany\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2009/06/17 11:27:56 \| 00,038,160 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys [2009/06/17 11:27:44 \| 00,019,096 \| ---- \| M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys [2009/06/01 09:51:14 \| 23,635,392 \| ---- \| M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe < End of report > kapersky scan: KASPERSKY ONLINE SCANNER 7.0 REPORT Friday, June 26, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Friday, June 26, 2009 18:45:29 Records in database: 2392289 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 63967 Threat name: 1 Infected objects: 47 Suspicious objects: 0 Duration of the scan: 01:58:51 File name / Threat name / Threats count C:\WINDOWS\system32\USER32.dll/C:\WINDOWS\system32\USER32.dll Infected: Trojan.Win32.Patched.dr 47 The selected area was scanned.

hammerman View Member Profile	Jun 26 2009, 04:26 PM Post #6
Trusted Helper Posts: 1,259 From: UK OS: XP	Hi gmanfan, Please download SystemLook from one of the links below and save it to your Desktop. Download Mirror #1 Download Mirror #2 Double-click SystemLook.exe to run it. Copy the content of the following codebox into the main textfield: CODE :filefind user32.dll Click the Look button to start the scan. When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. Note: The log can also be found on your Desktop entitled SystemLook.txt

gmanfan View Member Profile	Jun 27 2009, 03:52 PM Post #7
Member Posts: 70 From: Florida OS: XP Media Edition	Will do it tomorrow and let you know how it goes. Thanks a lot!

hammerman View Member Profile	Jun 27 2009, 03:57 PM Post #8
Trusted Helper Posts: 1,259 From: UK OS: XP	No problem at all.

gmanfan View Member Profile	Jun 28 2009, 11:38 AM Post #9
Member Posts: 70 From: Florida OS: XP Media Edition	Here you go: SystemLook v1.0 by jpshortstuff (22.05.09) Log created at 13:36 on 28/06/2009 by Brittany (Administrator - Elevation successful) ========== filefind ========== Searching for "user32.dll" C:\i386\user32.dll --a--- 577536 bytes [20:19 29/04/2008] [15:36 08/03/2007] B409909F6E2E8A7067076ED748ABF1E7 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll --a--- 577024 bytes [18:19 02/03/2005] [18:19 02/03/2005] 1800F293BCCC8EDE8A70E12B88D80036 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll --a--- 578048 bytes [15:48 08/03/2007] [15:48 08/03/2007] 7AA4F6C00405DFC4B70ED4214E7D687B C:\WINDOWS\$NtServicePackUninstall$\user32.dll -----c 577536 bytes [00:58 26/11/2008] [15:36 08/03/2007] B409909F6E2E8A7067076ED748ABF1E7 C:\WINDOWS\$NtUninstallKB890859$\user32.dll -----c 577024 bytes [14:40 27/04/2008] [10:00 04/08/2004] C72661F8552ACE7C5C85E16A3CF505C4 C:\WINDOWS\$NtUninstallKB925902$\user32.dll -----c 577024 bytes [14:47 27/04/2008] [18:09 02/03/2005] DE2DB164BBB35DB061AF0997E4499054 C:\WINDOWS\ServicePackFiles\i386\user32.dll ------ 578560 bytes [20:30 14/09/2008] [00:12 14/04/2008] B26B135FF1B9F60C9388B4A7D16F600B C:\WINDOWS\system32\user32.DLL --a--- 578560 bytes [17:51 10/08/2004] [19:37 30/03/2009] (Unable to calculate MD5) -=End Of File=-

hammerman View Member Profile	Jun 29 2009, 01:45 PM Post #10
Trusted Helper Posts: 1,259 From: UK OS: XP	Hi gmanfan, Ltitle bit more to do. Download ComboFix from one of these locations: Link 1 Link 2 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** log in your next reply.

gmanfan View Member Profile	Jun 29 2009, 02:51 PM Post #11
Member Posts: 70 From: Florida OS: XP Media Edition	Here you go! ComboFix 09-06-29.01 - Brittany 06/29/2009 16:37.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.617 [GMT -4:00] Running from: c:\documents and settings\Brittany\Desktop\ComboFix.exe AV: On-access scanning disabled (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: avast! antivirus 4.8.1335 [VPS 090629-0] On-access scanning disabled (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D} FW: disabled {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\-2010214786 c:\windows\system32\bszip.dll . ((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 ))))))))))))))))))))))))))))))) . 2009-06-29 16:56 . 2009-06-29 17:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-06-29 16:56 . 2009-06-29 16:56 -------- d-----w- c:\program files\CCleaner 2009-06-26 17:47 . 2009-06-26 17:47 -------- d-----w- C:\_OTL 2009-06-25 02:15 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll 2009-06-25 02:15 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll 2009-06-25 02:15 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll 2009-06-25 02:15 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe 2009-06-25 02:15 . 2009-02-06 10:39 35328 ------w- c:\windows\system32\dllcache\sc.exe 2009-06-25 02:15 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll 2009-06-25 02:15 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll 2009-06-25 02:15 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll 2009-06-25 02:15 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll 2009-06-25 02:15 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe 2009-06-25 01:52 . 2009-06-25 01:54 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-06-25 01:45 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll 2009-06-25 01:45 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe 2009-06-25 01:40 . 2009-06-25 01:40 -------- d-----w- c:\program files\ERUNT 2009-06-25 00:41 . 2009-06-25 00:41 152576 ----a-w- c:\documents and settings\Brittany\Application Data\Sun\Java\jre1.6.0_14\lzma.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-06-29 20:38 . 2004-08-10 17:51 578560 ----a-w- c:\windows\system32\user32.dll 2009-06-29 16:56 . 2008-04-27 17:59 -------- d-----w- c:\program files\Yahoo! 2009-06-29 16:36 . 2008-12-27 06:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-06-26 19:08 . 2008-04-28 16:52 -------- d-----w- c:\program files\Common Files\Adobe 2009-06-25 01:54 . 2008-12-27 23:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-06-25 00:42 . 2006-05-04 03:30 -------- d-----w- c:\program files\Java 2009-06-17 15:27 . 2008-12-27 23:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-06-17 15:27 . 2008-12-27 23:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-05-21 15:33 . 2008-12-22 14:56 410984 ----a-w- c:\windows\system32\deploytk.dll 2009-05-07 15:32 . 2004-08-10 17:51 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-29 04:56 . 2004-08-10 17:51 827392 ----a-w- c:\windows\system32\wininet.dll 2009-04-29 04:55 . 2004-08-10 17:51 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-04-17 12:26 . 2004-08-10 17:51 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-15 14:51 . 2004-08-10 17:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2008-04-28 16:41 . 2008-04-28 16:41 8 --sh--r- c:\windows\system32\D99A0CB7E2.sys 2008-04-28 16:41 . 2008-04-28 16:41 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys 2009-03-28 03:58 . 2009-03-28 03:58 2713 --sh--w- c:\windows\system32\lojonuda.exe 2009-03-30 19:37 . 2009-03-30 19:37 2713 --sh--w- c:\windows\system32\wogidovi.exe . Infected c:\windows\system32\user32.dll hex repaired ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "Uniblue SpeedUpMyPC"="c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe" [2007-08-16 9495832] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-31 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShowLOMControl"="1 (0x1)" [X] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784] "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-30 185896] "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-11-17 397312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2009-01-30 136768] c:\documents and settings\Brittany\Start Menu\Programs\Startup\ ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-5-3 24576] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Dell Support Center\\bin\\sprtsvc.exe"= R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [1/30/2009 12:40 PM 114768] R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [1/30/2009 12:40 PM 20560] S3 V0330VID;WebCam Vista;c:\windows\system32\drivers\V0330Vid.sys [9/13/2006 1:00 AM 173632] . Contents of the 'Scheduled Tasks' folder 2009-03-04 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] 2009-06-29 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-08 12:31] 2009-01-30 c:\windows\Tasks\Uniblue SpyEraser.job - c:\program files\Uniblue\SpyEraser\SpyEraser.exe [2009-01-30 14:03] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.myspace.com uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/ uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 Trusted Zone: musicmatch.com\online DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-06-29 16:41 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\TEMP\_av_proI.tm~a03640\dld1.tmp 10 bytes scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(684) c:\windows\System32\BCMLogon.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\WLTRYSVC.EXE c:\windows\system32\BCMWLTRY.EXE c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe c:\program files\Dell Support Center\bin\sprtsvc.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\igfxsrvc.exe c:\program files\Alwil Software\Avast4\ashMaiSv.exe c:\program files\Alwil Software\Avast4\ashWebSv.exe . ************************************************************************ . Completion time: 2009-06-29 16:46 - machine was rebooted ComboFix-quarantined-files.txt 2009-06-29 20:46 Pre-Run: 16,373,100,544 bytes free Post-Run: 16,245,276,672 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect 166 --- E O F --- 2009-06-26 19:08

hammerman View Member Profile	Jun 29 2009, 02:57 PM Post #12
Trusted Helper Posts: 1,259 From: UK OS: XP	Hi gmanfan, Can you tell me how your computer is running now.

gmanfan View Member Profile	Jun 29 2009, 03:35 PM Post #13
Member Posts: 70 From: Florida OS: XP Media Edition	Has been running fine since post 4 or so....it's great! Anything else i need to do? I have another computer to fix, but will wait until I follow spyware/malware removal section again! thanks so much!

hammerman View Member Profile	Jun 30 2009, 12:42 PM Post #14
Trusted Helper Posts: 1,259 From: UK OS: XP	Hi gmanfan, Congratulations, your computer is now clean If you would like me to help with your other computer, please post the logs in this thread. We now need to remove some of the tools I used. -- Step 1 -- Follow these steps to uninstall Combofix and tools used in the removal of malware Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there. -- Step 2 -- Download OTC to your desktop and run it Click Yes to beginning the Cleanup process and remove these components, including this application. You will be asked to reboot the machine to finish the Cleanup process. Choose Yes. Here are some measures you can take to ensure that your computer remains clean. 1. Updates Windows Updates It is essential that you regularly check and install the latest Windows Updates. Vulnerabilities within Windows can leave your computer open to infection. Regular updates are released to fix these security vulnerabilities. It is recommended that you set Windows to check, download and install your updates automatically. Click Start Select Control Panel Click on Automatic (recommended) Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet. Click Apply then OK. Java Updates As with Windows, Java also needs to be regularly updated to fix security vulnerabilites. You can download the latest version of the Java Runtime Environment (JRE) from here. Download, install and reboot your computer. You also need to uininstall older versions of Java. Click Start Select Control Panel Select Add or Remove Programs Remove all Java updates except the latest one you have just installed. Adobe Updates You should also ensure you use the latest Adobe Acrobat Reader and install any security updates that are released. You can download the latest reader and updates from here. Other Updates Regularly check for updates for all your security programs including firewall, antivirus, antispyware etc 2. Security Programs Here is a list of security programs that I would recommend. Firewall A firewall is essential to stop hackers infiltrating your computer. The following firewalls are free for personal use. Do not install more than one firewall. Zone Alarm is an excellent free basic firewall which is very easy to use. Online-Armor Free is a more advanced firewall which includes a Host Intrusion Protection System (HIPS). This ensures that unrecognised programs will not run unless you give permission. Comodo Internet Security which is free and includes a firewall, antivirus and HIPS (called Defense+). You can choose not to install the antivirus if you prefer to use another program Antivirus An antivirus program is essential. The following antivirus programs are free for personal use. Do not use more than one antivirus and always update virus definitions regularly. AVG Avira Free Avast Anti-Malware Malwarebytes Anti-Malware MBAM is an excellent anti-malware tool that should be updated and a Quick Scan performed regularly. A Full Scan does not have to be carried out on such a regular basis as the developers aim to detect the vast majority of malware with the Quick Scan. The scanner is free for on-demand scans only. Ad-Aware, Spybot, SuperAntispyware and A-Squared Free are also very good anti-malware programs that are free for on-demand scans. Spybot has a real-time protection feature called TeaTimer. Prevention SpywareBlaster is an excellent free tool for preventing the installation of spyware. SpywareGuard offers real-time protection so that spyware is detected and blocked before it can do any harm. Cleaner ATF Cleaner removes temporary Internet Explorer, Firefox and Windows files. Browser Firefox is an alternative browser to Internet Explorer and is more secure. NoScript is an add-on for Firefox and prevents execution of malicious scripts. MVPS is a HOSTS file to replace your existing file. This prevents you connecting to a list of well-known ad sites. This post has been edited by hammerman: Jun 30 2009, 12:42 PM

gmanfan View Member Profile	Jul 1 2009, 04:28 PM Post #15
Member Posts: 70 From: Florida OS: XP Media Edition	Ok, I will delete projects and post on my other computers on Thursday! Thanks

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

3 Pages

1 2 3 >

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Lavasoft Support (Ad-aware) Need help with hotoffer.info and other pop-ups[RESOLVED] 12	18 / 1,824	3rd May 2005 - 04:04 PM dlbryson started - last by Mannen
Virus, Spyware and Trojan Removal Need Help With Win32.P2P-Worm.Alcan.a [RESOLVED] 12	17 / 2,967	1st November 2005 - 07:18 AM Shadow_Fox started - last by Armodeluxe
Virus, Spyware and Trojan Removal getting popups need help with removing spyware and viruses [Solved]	4 / 456	19th December 2008 - 12:52 AM j mann started - last by Jimmy2012
Virus, Spyware and Trojan Removal Need Help with Trojan.Vundo.H and Trojan.BHO [Solved] 123	38 / 1,848	26th February 2009 - 05:18 PM fedup_with_vundo started - last by fenzodahl512