vundo.h, Hiloti, and others [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

vundo.h, Hiloti, and others [Solved]

#1 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 28 January 2010 - 12:53 PM

Turns out I have a second user that also got infected.

I have run mbam three times with reboots between. I have attached the first and the last logs from that.

And run the OTL, attaching below.

OTL.txt:

OTL logfile created on: 1/28/2010 12:26:36 PM - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Documents and Settings\administrator.CONCORDE.000\Desktop\patch
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.00 Mb Total Physical Memory | 98.00 Mb Available Physical Memory | 19.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 66.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 27.91 Gb Total Space | 3.53 Gb Free Space | 12.67% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CFC-STETTER-LAP
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/27 15:04:20 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.CONCORDE.000\Desktop\patch\OTL.exe
PRC - [2009/12/18 07:05:43 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/11/19 11:24:16 | 00,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2008/11/19 11:24:14 | 00,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2008/11/19 11:24:04 | 01,439,040 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\SmcGui.exe
PRC - [2008/11/19 11:24:02 | 01,787,200 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Smc.exe
PRC - [2008/11/19 11:24:00 | 02,436,536 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2008/05/02 01:44:08 | 00,805,392 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\SetPoint.exe
PRC - [2008/05/02 01:40:56 | 00,076,304 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
PRC - [2008/04/25 15:25:20 | 00,787,208 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
PRC - [2008/04/25 15:25:12 | 00,191,752 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
PRC - [2007/07/24 06:28:52 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/07/12 03:00:36 | 00,325,008 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
PRC - [2007/07/12 03:00:36 | 00,132,496 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
PRC - [2007/06/13 04:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/01/04 15:38:18 | 00,112,336 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
PRC - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2005/09/20 08:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\igfxpers.exe
PRC - [2005/09/20 08:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\hkcmd.exe
PRC - [2005/09/20 08:32:16 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\SYSTEM32\igfxsrvc.exe
PRC - [2005/05/04 00:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe
PRC - [2005/05/03 22:07:32 | 00,081,920 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
PRC - [2004/08/11 12:22:52 | 00,065,588 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe
PRC - [2004/08/11 12:22:46 | 00,057,398 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
PRC - [2004/08/11 12:22:44 | 00,319,538 | ---- | M] (SafeNet) -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
PRC - [2003/08/20 20:24:04 | 00,151,552 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2003/06/13 15:37:48 | 00,450,560 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE
PRC - [2003/06/13 15:37:48 | 00,045,056 | ---- | M] () -- C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE
PRC - [2003/02/26 11:08:42 | 00,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2003/02/24 15:35:12 | 00,163,840 | ---- | M] () -- C:\WINDOWS\SYSTEM32\pctspk.exe
PRC - [2003/01/31 11:27:26 | 00,364,544 | ---- | M] () -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2002/12/17 12:28:00 | 00,684,032 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe
PRC - [2002/07/17 10:18:06 | 00,028,672 | ---- | M] (Dell - Advanced Desktop Engineering) -- C:\WINDOWS\SYSTEM32\DSentry.exe

========== Modules (SafeList) ==========

MOD - [2010/01/27 15:04:20 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\administrator.CONCORDE.000\Desktop\patch\OTL.exe
MOD - [2008/05/02 01:42:50 | 00,045,584 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPoint\lgscroll.dll
MOD - [2007/03/08 09:36:28 | 00,150,528 | ---- | M] () -- C:\WINDOWS\ibirupohofus.dll
MOD - [2006/12/01 22:54:32 | 00,626,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
MOD - [2006/08/25 09:45:55 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2002/03/22 09:05:46 | 00,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/04/26 18:05:47 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/19 11:24:16 | 00,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2008/11/19 11:24:16 | 00,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2008/11/19 11:24:06 | 00,312,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SNAC.EXE -- (SNAC)
SRV - [2008/11/19 11:24:02 | 01,787,200 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Smc.exe -- (SmcService)
SRV - [2008/11/19 11:24:00 | 02,436,536 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2008/06/30 16:36:35 | 03,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/05/02 01:42:06 | 00,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2007/01/04 15:38:08 | 00,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2005/05/04 00:04:28 | 09,150,464 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe -- (MSSQL$FACW)
SRV - [2005/05/03 21:42:56 | 00,323,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE -- (SQLAgent$FACW)
SRV - [2004/08/11 12:22:46 | 00,057,398 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe -- (IPSECMON)
SRV - [2004/08/11 12:22:44 | 00,319,538 | ---- | M] (SafeNet) [Auto | Running] -- C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe -- (IREIKE)
SRV - [2004/07/15 00:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2003/06/13 15:37:48 | 00,045,056 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (WLTRYSVC)
SRV - [2003/04/29 14:29:54 | 00,139,264 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3054568116-606813964-587920001-500\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
IE - HKU\S-1-5-21-3054568116-606813964-587920001-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
IE - HKU\S-1-5-21-3054568116-606813964-587920001-500\S-1-5-21-3054568116-606813964-587920001-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{2F23EA38-031C-46E2-B4A3-DF2139107282}: C:\Documents and Settings\JStetter.CONCORDE\Local Settings\Application Data\{2F23EA38-031C-46E2-B4A3-DF2139107282} [2010/01/27 09:58:27 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}: C:\Documents and Settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215} [2010/01/28 11:30:17 | 00,000,000 | ---D | M]

O1 HOSTS File: ([2008/02/18 08:54:48 | 00,000,827 | ---- | M]) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 192.168.10.129 cfc-dc-1.concorde.local cfc-dc-1
O1 - Hosts: 192.168.9.2 ihc-dc-1.intlhosp.com ihc-dc-1
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-3054568116-606813964-587920001-500\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe (Roxio)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe ()
O4 - HKLM..\Run: [Dhawavoxo] C:\WINDOWS\ibirupohofus.DLL ()
O4 - HKLM..\Run: [DVDSentry] C:\WINDOWS\SYSTEM32\DSentry.exe (Dell - Advanced Desktop Engineering)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\SYSTEM32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\SYSTEM32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\SYSTEM32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-3054568116-606813964-587920001-500..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Mobile User VPN.lnk = C:\Program Files\WatchGuard\Mobile User VPN\SafeCfg.exe (SafeNet)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk = C:\Program Files\Morningstar\Principia\schedupd.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3054568116-606813964-587920001-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll (Sun Microsystems, Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/d/4...0367/wmavax.CAB (Reg Error: Key error.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} http://moneycentral....bs/pmupd806.exe (MSN Money Charting)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} http://moneycentral....s/pmupdate2.exe (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://fiws.webex.c...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.129
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = concorde.local
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll - c:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\DELL.BMP
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 13:36:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2004/02/02 20:15:20 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (53765057741324288)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/28 12:24:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE.000\Application Data\Macromedia
[2010/01/28 12:24:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE.000\Application Data\Adobe
[2010/01/28 11:41:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE.000\Application Data\Malwarebytes
[2010/01/28 11:41:22 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/01/28 11:41:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/01/28 11:41:15 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/01/28 11:41:14 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/01/28 11:33:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE.000\Desktop\patch
[2010/01/28 11:30:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE.000\Application Data\Logitech
[2010/01/28 11:30:15 | 00,000,000 | ---D | C] -- C:\Documents and Settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}
[2010/01/14 15:09:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/09/04 21:19:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile
[2007/11/07 11:45:28 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2007/07/11 16:42:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2006/08/16 17:02:27 | 06,475,776 | ---- | C] (Value Line Publishing, Inc.) -- C:\Program Files\Vlis.exe
[2005/03/14 08:13:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/02/02 20:17:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[1998/08/24 08:31:44 | 00,018,944 | ---- | C] ( ) -- C:\WINDOWS\System32\IMPLODE.DLL
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2010/01/28 12:24:19 | 01,310,720 | -H-- | M] () -- C:\Documents and Settings\administrator.CONCORDE.000\NTUSER.DAT
[2010/01/28 12:06:38 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2010/01/28 12:05:03 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/01/28 12:04:29 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2010/01/28 12:04:19 | 53,506,4576 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/28 12:03:00 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\administrator.CONCORDE.000\NTUSER.INI
[2010/01/28 12:02:49 | 04,311,376 | -H-- | M] () -- C:\Documents and Settings\administrator.CONCORDE.000\Local Settings\Application Data\IconCache.db
[2010/01/28 11:41:27 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/28 11:31:29 | 00,000,120 | ---- | M] () -- C:\WINDOWS\Gmozuzupi.dat
[2010/01/28 09:26:44 | 00,000,000 | ---- | M] () -- C:\WINDOWS\Iniceta.bin
[2010/01/27 08:02:08 | 34,639,33951 | ---- | M] () -- C:\tgs.2
[2010/01/27 08:02:08 | 00,000,000 | ---- | M] () -- C:\tgs.3
[2010/01/21 15:09:51 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/01/20 16:38:27 | 00,001,725 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Principia Online Update.lnk
[2010/01/20 16:38:19 | 00,001,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Principia.lnk
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/01/28 11:41:27 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/27 09:58:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Iniceta.bin
[2010/01/27 09:58:33 | 00,000,120 | ---- | C] () -- C:\WINDOWS\Gmozuzupi.dat
[2010/01/27 08:02:08 | 34,639,33951 | ---- | C] () -- C:\tgs.2
[2010/01/27 08:02:08 | 00,000,000 | ---- | C] () -- C:\tgs.3
[2009/09/04 21:12:27 | 00,026,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys
[2009/01/15 09:11:10 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2009/01/15 09:08:44 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2009/01/15 09:08:42 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2007/06/25 14:54:08 | 00,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2006/08/16 17:02:27 | 00,011,591 | ---- | C] () -- C:\Program Files\VLIA_3_0_6_release_notice.htm
[2006/08/16 17:02:27 | 00,011,508 | ---- | C] () -- C:\Program Files\readme.htm
[2006/08/16 17:02:27 | 00,002,068 | ---- | C] () -- C:\Program Files\VLIA_3_0_6_release_notice.txt
[2006/08/10 06:48:07 | 00,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2004/03/05 11:35:53 | 00,050,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2004/02/10 10:42:42 | 00,001,190 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/02/02 20:58:41 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/02/02 20:47:53 | 00,000,791 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/02/02 20:19:46 | 00,000,546 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/07/01 19:34:50 | 00,131,072 | ---- | C] () -- C:\WINDOWS\System32\FinDerLibv21.dll
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/29 05:00:00 | 00,150,528 | ---- | C] () -- C:\WINDOWS\ibirupohofus.dll
[1999/09/22 13:03:54 | 00,100,352 | ---- | C] () -- C:\WINDOWS\System32\PG32CONV.DLL
[1999/03/11 20:07:22 | 00,299,008 | ---- | C] () -- C:\WINDOWS\System32\CRUTL14.DLL
[1980/01/01 00:00:00 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\mdmmoh.dll
[1980/01/01 00:00:00 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2009/09/10 08:37:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AT&T
[2009/04/06 10:50:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileOpen
[2009/09/02 09:49:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\pdf995
[2007/12/20 08:10:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2007/01/22 09:20:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter\Application Data\Fidelity Advisor Channel TrainerTool
[2007/01/22 09:33:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter\Application Data\Fidelity Investments
[2009/09/04 21:15:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\AT&T
[2009/09/04 21:15:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\DBUpdater
[2009/05/22 14:10:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Fidelity Advisor CHANNEL
[2008/04/25 09:41:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Fidelity Advisor Channel TrainerTool
[2007/06/25 08:13:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Fidelity Investments
[2009/04/06 10:50:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\FileOpen
[2008/07/03 12:53:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Leadertech
[2007/08/09 16:52:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Morningstar
[2009/01/15 09:11:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\pdf995
[2009/09/04 21:01:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Sierra Wireless
[2007/12/20 08:10:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\Viewpoint
[2009/12/02 11:53:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE\Application Data\WebEx
[2007/06/12 12:19:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE6-24\Application Data\Fidelity Advisor Channel TrainerTool
[2007/06/12 12:29:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE6-24\Application Data\Fidelity Investments
[2007/06/14 07:23:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\JStetter.CONCORDE6-24\Application Data\Morningstar
[2009/09/04 21:19:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Bytemobile

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: AGP440.SYS >
[2005/03/14 07:25:33 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:AGP440.sys
[2005/03/14 07:25:33 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:AGP440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\agp440.sys
[2004/08/04 00:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2004/08/04 00:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2002/08/29 05:00:00 | 10,158,890 | ---- | M] () .cab file -- C:\I386\sp1.cab:atapi.sys
[2002/08/29 05:00:00 | 10,158,890 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp1.cab:atapi.sys
[2005/03/14 07:25:33 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\I386\sp2.cab:atapi.sys
[2005/03/14 07:25:33 | 22,245,337 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp2.cab:atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\atapi.sys
[2004/08/03 23:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 23:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
[2004/08/04 01:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2004/08/04 01:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB975467\SP2QFE\netlogon.dll
[2004/08/04 01:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2004/08/04 01:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\SYSTEM32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2004/08/04 01:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\SYSTEM32\scecli.dll
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2008/11/19 11:24:26 | 00,049,472 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\FwsVpn.dll
[2008/11/19 11:24:26 | 00,107,840 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\SymVPN.dll
[2008/11/19 11:24:26 | 00,357,696 | ---- | M] (Symantec Corporation) Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\sysfer.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >

Attached File(s)

mbam_log_2010_01_28__12_00_54_.txt (1.85K)
Number of downloads: 870
mbam_log_2010_01_28__12_23_26_.txt (866bytes)
Number of downloads: 92

#2 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 30 January 2010 - 01:16 PM

Hi stubbdog,

Welcome to Geeks To Go!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:

Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
Please do not do anything or perform other steps unless I have asked you to do so.
Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
If you are unsure of how to reply, or need help with anything regarding the website, please look here.

I also recommend that you print these instructions as you may be required to boot in safe mode

I notice you have two separate topics open, are these two distinct computers? In the meantime, I'm going to close the second topic. If it turns out these are two separate computers, let me know and I'll re-open the second topic and help you there.

I'm reviewing your logs, I'll get back to you soon.

#3 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 30 January 2010 - 01:22 PM

Please download ComboFix and save it to your Desktop.

Alternate Link

NOTE: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don''t know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post C:\Combo-Fix.txt in your next post.

**Note: Do not mouseclick combo-fix''s window while it''s running. That may cause it to stall**

#4 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 01 February 2010 - 08:27 AM

I will be doing this one today, but I wanted to respond that YES, my two cases I opened are two different computers.

#5 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 01 February 2010 - 09:53 AM

OK, I'll reopen the other topic and help you there as well.

#6 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 02 February 2010 - 11:28 AM

Unlike the other computer, this one had the comb-fix reboot the machine during the middle of it. after the reboot, it gave an error saying that it could not find combofix.sys, but it continued on and finished out anyway.

Also on the screen had a pop up RUNDLL error: error loading ibirupohofus.dll, specified module could not be found.

Now, I am assuming that rundll error is due to it being something that combo fix started to remove but maybe the *.sys thing missing kept it from completely doing, but that is my guess.

Anyway, here is the resulting log from the CF:

ComboFix 10-02-01.05 - JStetter 02/02/2010 10:56:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.274 [GMT -6:00]
Running from: c:\documents and settings\JStetter.CONCORDE\Desktop\Combo-Fix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}
c:\documents and settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}\chrome.manifest
c:\documents and settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}\chrome\content\_cfg.js
c:\documents and settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}\chrome\content\overlay.xul
c:\documents and settings\administrator.CONCORDE.000\Local Settings\Application Data\{A261E679-09F6-4D8F-B5C8-CBDD524B5215}\install.rdf
c:\windows\Downloaded Program Files\Temp
c:\windows\EventSystem.log
c:\windows\ibirupohofus.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-02 to 2010-02-02 )))))))))))))))))))))))))))))))
.

2010-01-28 19:22 . 2010-01-28 19:22 -------- d-----w- c:\documents and settings\JStetter.CONCORDE\Application Data\Malwarebytes
2010-01-28 19:05 . 2010-01-28 19:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-01-28 19:02 . 2010-01-28 19:20 -------- d-----w- c:\documents and settings\administrator.CONCORDE.000\Local Settings\Application Data\Adobe
2010-01-28 19:02 . 2010-01-28 19:17 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-01-28 17:41 . 2010-01-28 17:41 -------- d-----w- c:\documents and settings\administrator.CONCORDE.000\Application Data\Malwarebytes
2010-01-28 17:41 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-28 17:41 . 2010-01-28 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-28 17:41 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-28 17:41 . 2010-01-28 17:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 17:30 . 2010-01-28 17:30 -------- d-----w- c:\documents and settings\administrator.CONCORDE.000\Application Data\Logitech
2010-01-27 15:58 . 2010-02-02 14:26 0 ----a-w- c:\windows\Iniceta.bin
2010-01-27 15:58 . 2010-02-02 16:44 120 ----a-w- c:\windows\Gmozuzupi.dat
2010-01-27 15:58 . 2010-01-27 15:58 -------- d-----w- c:\documents and settings\JStetter.CONCORDE\Local Settings\Application Data\{2F23EA38-031C-46E2-B4A3-DF2139107282}
2010-01-14 21:09 . 2010-01-14 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-01-14 15:02 . 2010-01-14 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-14 14:59 . 2010-01-14 14:59 -------- d-----w- c:\documents and settings\JStetter.CONCORDE\Local Settings\Application Data\Apple
2010-01-14 14:58 . 2010-01-14 14:58 -------- d-----w- c:\program files\Apple Software Update
2010-01-14 14:58 . 2010-01-14 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-14 14:57 . 2010-01-14 14:57 -------- d-----w- c:\documents and settings\JStetter.CONCORDE\Local Settings\Application Data\Apple Computer
2010-01-13 14:19 . 2009-11-21 16:36 470528 ------w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 15:01 . 2006-02-27 14:50 -------- d-----w- c:\program files\Symantec AntiVirus
2010-01-28 19:13 . 2004-02-17 20:29 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-28 19:02 . 2010-01-28 19:02 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-01-14 15:09 . 2004-10-25 21:07 -------- d-----w- c:\program files\QuickTime
2010-01-05 10:00 . 2004-12-07 22:37 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-03-07 15:39 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-12-14 16:04 . 2007-06-25 14:14 65544 ----a-w- c:\documents and settings\JStetter.CONCORDE\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-11 23:36 . 2004-02-11 16:14 -------- d-----w- c:\program files\Morningstar
2009-11-21 16:36 . 2002-08-29 11:00 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-20 11:08 . 2010-01-28 19:05 38784 ----a-w- c:\documents and settings\administrator.CONCORDE.000\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2006-07-07 20:58 . 2006-08-16 23:02 6475776 ----a-w- c:\program files\Vlis.exe
2006-07-06 20:00 . 2006-08-16 23:02 2068 ----a-w- c:\program files\VLIA_3_0_6_release_notice.txt
2006-07-06 20:00 . 2006-08-16 23:02 11591 ----a-w- c:\program files\VLIA_3_0_6_release_notice.htm
2006-07-06 19:58 . 2006-08-16 23:02 11508 ----a-w- c:\program files\readme.htm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552]
"PCTVOICE"="pctspk.exe" [2003-02-24 163840]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2003-01-31 364544]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-11-19 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-9-4 805392]
Mobile User VPN.lnk - c:\program files\WatchGuard\Mobile User VPN\SafeCfg.exe [2007-6-25 65588]
Principia Online Update.lnk - c:\program files\Morningstar\Principia\schedupd.exe [2009-8-1 20543]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Morningstar\\Office\\MStarAWD.exe"=
"c:\\Program Files\\Morningstar\\Office\\AWDImport.exe"=
"c:\\Program Files\\Morningstar\\Office\\MSUpdate.exe"=
"c:\\Program Files\\Morningstar\\Office\\MSUpdateVista.exe"=
"c:\\Program Files\\WatchGuard\\Mobile User VPN\\IreIKE.exe"=
"c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe"= c:\program files\WatchGuard\Mobile User VPN\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe"= c:\program files\WatchGuard\Mobile User VPN\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\WatchGuard\Mobile User VPN\vpn.exe"= c:\program files\WatchGuard\Mobile User VPN\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R2 Crypto;Crypto;c:\windows\SYSTEM32\DRIVERS\Crypto.sys [6/25/2007 2:55 PM 521786]
R2 IPSECDRV;SafeNet IPSec Plugin;c:\windows\SYSTEM32\DRIVERS\IpSecDrv.sys [6/25/2007 2:55 PM 119864]
R2 MSSQL$FACW;MSSQL$FACW;c:\program files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlservr.exe [5/4/2005 12:04 AM 9150464]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/11/2007 9:51 AM 24652]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\SYSTEM32\DRIVERS\vap.sys [5/15/2006 4:05 PM 36188]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/27/2009 12:47 PM 102448]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wa301b.sys [1/1/1980 33847]
S3 SQLAgent$FACW;SQLAgent$FACW;c:\program files\Microsoft SQL Server\MSSQL$FACW\Binn\sqlagent.EXE [5/3/2005 9:42 PM 323584]
S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\SYSTEM32\DRIVERS\swnc8u80.sys [8/20/2008 12:35 PM 168192]
S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\SYSTEM32\DRIVERS\swumx80.sys [8/20/2008 12:36 PM 142976]
.
Contents of the 'Scheduled Tasks' folder

2010-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.usatoday.com/money/default.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Dhawavoxo - c:\windows\ibirupohofus.dll
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 11:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1772)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(1088)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\WatchGuard\Mobile User VPN\IreIKE.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\WatchGuard\Mobile User VPN\IPSecMon.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\pctspk.exe
c:\program files\Apoint\Apntex.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2010-02-02 11:21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-02 17:21

Pre-Run: 3,614,355,456 bytes free
Post-Run: 3,970,068,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 601B7960204B2D7415AF36D62B6D6FA5

#7 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 02 February 2010 - 06:46 PM

Are you still getting that pop-up everytime Windows starts? The rundll one.

#8 stubbdog

Group: Member
Posts: 46
Joined: 18-August 05

Posted 03 February 2010 - 09:49 AM

I asked the user if they got any errors when they booted up this morning and they said no. The only things they did mention were:

1. Google Chrome was gone
2. Internet Explorer had not kept all of their home page tabs, had reset them back to single default one.

Obviously, both of those are easy enough to fix, but just wanted to let you know about them as being side affects of some of this removal process so you might can let whoever the software makers know (not sure if you guys have access to them or not).

#9 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 03 February 2010 - 09:52 AM

Yep we have access to pretty much everyone that makes the software we use. Thanks for the info. Feel free to ask any other questions.

Congratulations! Your system appears to be malware free once again!

We just have a couple of things to take care of, then you should be good to go.

STEP 1 - Uninstall ComboFix

Click on Start > Run
Type Combofix /uninstall in the run box and click Ok. Note the space between the x and the /uninstall, it needs to be there.

STEP 2 - Remove Tools

Open OTL
Click Clean Up in the upper right corner.
This will remove most if not all the tools we used while we were fixing your computer. Feel free to delete any others it leaves behind.

Now that you have a clean system, I would like to share with you some advice to help reduce the risk of future infection.

+++++++++++++++++++++++++++++++++++++++++++++++

Firstly, I recommend you reset your System Restore to remove any infected files that may have been backed up by Windows. You will lose any previous restore points; however some are those are likely to be infected, so this will improve the security of your machine.

Turn OFF System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again

+++++++++++++++++++++++++++++++++++++++++++++++

I recommend that you install both of the following free programs if you haven''t already, as they can greatly increase the security of your system. It is not essential that you have these programs installed, but they do a very good job at preventing infection if your system is scanned regularly.

Super AntiSpyware - an amazing tool that can often clean up a system very efficiently.
MalwareBytes Anti-Malware - another great program for keeping your system free of malware and running smooth.

+++++++++++++++++++++++++++++++++++++++++++++++

A good firewall is also useful for keeping a system infection free. You should only have ONE firewall installed on your computer - having more than one will not increase the security of your system. Here is a small list of some free firewalls

An antivirus program is also a program that should be installed on all computers. These will help reduce the risk that your computer gets infected by viruses or trojans in the future. Keep in mind that you only need ONE antivirus program installed on your computer. If you have more than one installed, they can often conflict and leave your system unprotected.

Having up to date Antivirus and Firewall software is vital to keeping a healthy, infection free system

+++++++++++++++++++++++++++++++++++++++++++++++

To find out more information on how your system got infected, or how to protect yourself on the internet in the future, this article by Tony Klein provides some great information.

Good Luck and safe surfing!

-mpascal

#10 mpascal

Group: Retired Staff
Posts: 3,644
Joined: 13-April 09

Posted 14 April 2010 - 12:43 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

vundo.h, Hiloti, and others [Solved] - Geeks to Go Forums