Jump to content
IObit Forum
Top Free Driver Updater Tools Best 25 PC Optimization Software Best 22 Antimalware Best 22 Uninstaller Software IObit Coupons & Discount Offers PC Optimizer Mac Boost Advice IObit Coupons A Good Utility Program From IObit IObit Promo Codes IObit Coupon Codes IObit Coupons and Deals FAQs Driver Booster Pro Review

I'm getting RUNDLL error code

Stixx

Recommended Posts

Stixx Newbie

Stixx

Posted
  • Author
Posted

Here's the results Evilfantasy

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by stephen at 19:41:21.25 on Fri 05/28/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.479.158 [GMT -7:00]

 

AV: My Security Engine *On-access scanning enabled* (Outdated) {F86826C9-5952-4455-9C46-41887603AC2F}

FW: My Security Engine *enabled* {70484633-760D-4A59-99CF-7C089F5EC502}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

C:\WINDOWS\system32\svchost -k rpcss

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\IObit\IObit Security 360\is360.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Documents and Settings\stephen.STEPHENADMIN\My Documents\Downloads\dds.scr

 

============== Pseudo HJT Report ===============

 

uStart Page = about:blank

uSearch Page =

uSearch Bar =

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5555

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {374D658D-FE8A-49A9-B36D-0E9F0980DDDC} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [Vgamujililun] rundll32.exe "c:\windows\dsetieqs.dll",Startup

mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Dpivozabul] rundll32.exe "c:\windows\osubasusevihe.dll",Startup

mRun: [iObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart

StartupFolder: c:\docume~1\stephe~2.ste\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: &Search

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

TCP: {511AF471-4F5F-4506-8B7D-33239408EAE1} = 195.242.208.40

TCP: {92DA617D-43A4-4B4E-8955-34F1ABD920DB} = 195.242.208.40

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

IFEO: image file execution options - svchost.exe

Hosts: 74.125.45.100 4-open-davinci.com

Hosts: 74.125.45.100 securitysoftwarepayments.com

Hosts: 74.125.45.100 privatesecuredpayments.com

Hosts: 74.125.45.100 secure.privatesecuredpayments.com

Hosts: 74.125.45.100 getantivirusplusnow.com

 

Note: multiple HOSTS entries found. Please refer to Attach.txt

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\stephe~2.ste\applic~1\mozilla\firefox\profiles\6fgeb4bx.default\

FF - prefs.js: browser.search.selectedEngine - search

FF - prefs.js: browser.startup.homepage -

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - component: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: XULRunner: {724BFE7E-07D6-40BC-BD64-720CE6012A69} - c:\documents and settings\stephen.stephenadmin\local settings\application data\{724BFE7E-07D6-40BC-BD64-720CE6012A69}

FF - HiddenExtension: XULRunner: {35435B99-6804-48F2-915E-36B3A9FD33B5} - c:\documents and settings\test\local settings\application data\{35435B99-6804-48F2-915E-36B3A9FD33B5}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-5-28 311568]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-5-27 133104]

 

=============== Created Last 30 ================

 

2010-05-28 21:28:51 0 d-sh--w- c:\documents and settings\stephen.stephenadmin\IECompatCache

2010-05-28 20:37:40 0 d-----w- c:\windows\Downloaded Installations

2010-05-26 04:56:20 0 dc-h--w- c:\windows\ie8

2010-05-19 14:20:32 0 d-----w- c:\docume~1\stephe~2.ste\applic~1\Malwarebytes

2010-05-19 14:20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-05-19 14:20:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2010-05-19 14:20:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-05-19 14:20:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 08:10:36 0 d-sh--w- c:\documents and settings\stephen.stephenadmin\PrivacIE

2010-05-18 05:37:19 0 d-----w- C:\SMILES, Faces

2010-05-14 16:34:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-14 16:34:19 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-13 21:45:28 0 d-sh--w- c:\documents and settings\stephen.stephenadmin\IETldCache

2010-05-12 23:05:14 61056 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys

2010-05-12 23:05:14 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys

2010-05-12 21:05:46 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Alwil Software

2010-05-12 17:08:08 2544 ----a-w- c:\windows\ikimilabef.dll

2010-05-12 09:30:00 2544 ----a-w- c:\windows\enagunewucobuh.dll

2010-05-12 09:11:03 2544 ----a-w- c:\windows\onowerecome.dll

2010-05-12 08:57:11 2544 ----a-w- c:\windows\ulovamiwokojegig.dll

2010-05-12 08:34:08 2544 ----a-w- c:\windows\anafepohebafi.dll

2010-05-12 07:38:50 2544 ----a-w- c:\windows\ekituliv.dll

2010-05-12 04:02:44 2544 ----a-w- c:\windows\ajixohese.dll

2010-05-12 03:52:23 2544 ----a-w- c:\windows\uvukofeg.dll

2010-05-12 03:20:19 2544 ----a-w- c:\windows\okedowurafoxos.dll

2010-05-12 00:04:20 2544 ----a-w- c:\windows\itukiyitej.dll

2010-05-11 21:43:46 0 d-----w- c:\docume~1\stephe~2.ste\applic~1\f-secure

2010-05-11 21:41:24 0 d-----w- c:\program files\Charter Security Suite

2010-05-11 20:09:09 2544 ----a-w- c:\windows\ozanerokowucafo.dll

2010-05-11 13:46:48 2544 ----a-w- c:\windows\alogadag.dll

2010-05-10 20:59:17 2544 ----a-w- c:\windows\uqiqeyuhasaj.dll

2010-05-10 20:53:32 2544 ----a-w- c:\windows\ipaqoziyi.dll

2010-05-10 19:55:13 2544 ----a-w- c:\windows\uzuqotiwuvubomu.dll

2010-05-10 19:35:55 2544 ----a-w- c:\windows\omukodado.dll

2010-05-10 19:21:23 2544 ----a-w- c:\windows\alagodini.dll

2010-05-10 18:55:47 2544 ----a-w- c:\windows\etuqijiw.dll

2010-05-10 18:52:59 2544 ----a-w- c:\windows\edefiboq.dll

2010-05-10 18:06:40 2544 ----a-w- c:\windows\ojodotexaqak.dll

2010-05-10 17:42:31 2544 ----a-w- c:\windows\iyaxazig.dll

2010-05-10 08:44:18 0 d-----w- c:\docume~1\alluse~1.win\applic~1\fssg

2010-05-10 06:51:44 2544 ----a-w- c:\windows\afeweturet.dll

2010-05-10 06:15:32 0 d-----w- c:\docume~1\alluse~1.win\applic~1\f-secure

2010-05-10 04:49:44 2544 ----a-w- c:\windows\oxubelis.dll

2010-05-10 03:53:06 2544 ----a-w- c:\windows\ehamusigegobe.dll

2010-05-10 01:26:21 2544 ----a-w- c:\windows\ojurukururul.dll

2010-05-09 23:24:21 2544 ----a-w- c:\windows\ayisuxom.dll

2010-05-09 21:15:38 2544 ----a-w- c:\windows\ajekivegohekeva.dll

2010-05-09 20:29:16 2544 ----a-w- c:\windows\ozeluxocaciris.dll

2010-05-09 19:35:48 2544 ----a-w- c:\windows\imixuwenanojowa.dll

2010-05-09 13:38:44 2544 ----a-w- c:\windows\uwewadilak.dll

2010-05-09 11:36:44 2544 ----a-w- c:\windows\oxolupav.dll

2010-05-09 09:34:44 2544 ----a-w- c:\windows\ofozikagupise.dll

2010-05-09 07:32:44 2544 ----a-w- c:\windows\akebexuy.dll

2010-05-09 05:30:45 2544 ----a-w- c:\windows\ahaxanet.dll

2010-05-09 03:28:44 2544 ----a-w- c:\windows\amovesebevaxitig.dll

2010-05-09 01:26:44 2544 ----a-w- c:\windows\ocuhepayukay.dll

2010-05-09 01:15:24 2544 ----a-w- c:\windows\ejudefayoqevi.dll

2010-05-08 23:06:15 2544 ----a-w- c:\windows\abememapiqiyonox.dll

2010-05-08 21:13:19 2544 ----a-w- c:\windows\oqojuyokuyepebeh.dll

2010-05-08 08:34:12 2544 ----a-w- c:\windows\aqilutej.dll

2010-05-08 06:24:20 0 d-sh--w- c:\docume~1\alluse~1.win\applic~1\MSTPSNUXUE

2010-05-08 06:22:13 0 d-sh--w- c:\docume~1\alluse~1.win\applic~1\213a261

2010-05-03 10:06:02 2544 ----a-w- c:\windows\Bdisur.dat

2010-05-03 10:06:02 0 ----a-w- c:\windows\Vkocut.bin

2010-05-03 10:04:32 84992 --sha-r- c:\windows\system32\tssoft325.dll

 

==================== Find3M ====================

 

2010-04-08 20:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll

2010-04-08 20:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe

2010-03-27 13:25:03 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-03-27 13:25:03 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll

 

============= FINISH: 19:41:46.40 ===============

Link to comment
Share on other sites
evilfantasy Newbie

evilfantasy

Posted
Posted

What about the Attach.txt file?

 

Also install and scan with HijackThis.

 

Download TrendMicro HijackThis.exe (HJT) to the desktop.

 

* Double-click on HJTInstall.

* Click on the Install button.

* It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.

* Upon install, HijackThis should open for you.

* Important! If using Windows Vista or Windows 7, close HijackThis. Now right-click HijackThis and Run As Administrator

* Click on the Do a system scan and save a log file button

* HijackThis will scan and then a log will open in notepad.

* Copy and then paste the entire contents of the log in your post.

* Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Link to comment
Share on other sites
Stixx Newbie

Stixx

Posted
  • Author
Posted

Got a problem with Hijack which I was told not to repair so....

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:49:37 PM, on 5/29/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AirPort\APAgent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\IObit\IObit Security 360\IS360tray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\LimeWire\LimeWire.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\program files\real\realplayer\RealPlay.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 http://www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 http://www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 http://www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 173.232.149.92 http://www.google.com

O1 - Hosts: 173.232.149.92 google.com

O1 - Hosts: 173.232.149.92 google.com.au

O1 - Hosts: 173.232.149.92 http://www.google.com.au

O1 - Hosts: 173.232.149.92 google.be

O1 - Hosts: 173.232.149.92 http://www.google.be

O1 - Hosts: 173.232.149.92 google.com.br

O1 - Hosts: 173.232.149.92 http://www.google.com.br

O1 - Hosts: 173.232.149.92 google.ca

O1 - Hosts: 173.232.149.92 http://www.google.ca

O1 - Hosts: 173.232.149.92 google.ch

O1 - Hosts: 173.232.149.92 http://www.google.ch

O1 - Hosts: 173.232.149.92 google.de

O1 - Hosts: 173.232.149.92 http://www.google.de

O1 - Hosts: 173.232.149.92 google.dk

O1 - Hosts: 173.232.149.92 http://www.google.dk

O1 - Hosts: 173.232.149.92 google.fr

O1 - Hosts: 173.232.149.92 http://www.google.fr

O1 - Hosts: 173.232.149.92 google.ie

O1 - Hosts: 173.232.149.92 http://www.google.ie

O1 - Hosts: 173.232.149.92 google.it

O1 - Hosts: 173.232.149.92 http://www.google.it

O1 - Hosts: 173.232.149.92 google.co.jp

O1 - Hosts: 173.232.149.92 http://www.google.co.jp

O1 - Hosts: 173.232.149.92 google.nl

O1 - Hosts: 173.232.149.92 http://www.google.nl

O1 - Hosts: 173.232.149.92 google.no

O1 - Hosts: 173.232.149.92 http://www.google.no

O1 - Hosts: 173.232.149.92 google.co.nz

O1 - Hosts: 173.232.149.92 http://www.google.co.nz

O1 - Hosts: 173.232.149.92 google.pl

O1 - Hosts: 173.232.149.92 http://www.google.pl

O1 - Hosts: 173.232.149.92 google.se

O1 - Hosts: 173.232.149.92 http://www.google.se

O1 - Hosts: 173.232.149.92 google.co.uk

O1 - Hosts: 173.232.149.92 http://www.google.co.uk

O1 - Hosts: 173.232.149.92 google.co.za

O1 - Hosts: 173.232.149.92 http://www.google.co.za

O1 - Hosts: 173.232.149.92 http://www.google-analytics.com

O1 - Hosts: 173.232.149.92 http://www.bing.com

O1 - Hosts: 173.232.149.92 search.yahoo.com

O1 - Hosts: 173.232.149.92 http://www.search.yahoo.com

O1 - Hosts: 173.232.149.92 uk.search.yahoo.com

O1 - Hosts: 173.232.149.92 ca.search.yahoo.com

O1 - Hosts: 173.232.149.92 de.search.yahoo.com

O1 - Hosts: 173.232.149.92 fr.search.yahoo.com

O1 - Hosts: 173.232.149.92 au.search.yahoo.com

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe

O4 - HKLM\..\Run: [AirPort Base Station Agent] "C:\Program Files\AirPort\APAgent.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Dpivozabul] rundll32.exe "C:\WINDOWS\osubasusevihe.dll",Startup

O4 - HKLM\..\Run: [iObit Security 360] "C:\Program Files\IObit\IObit Security 360\IS360tray.exe" /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Vgamujililun] rundll32.exe "C:\WINDOWS\dsetieqs.dll",Startup

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - http://www.turntool.com/ViewerInstall.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{511AF471-4F5F-4506-8B7D-33239408EAE1}: NameServer = 195.242.208.40

O17 - HKLM\System\CCS\Services\Tcpip\..\{92DA617D-43A4-4B4E-8955-34F1ABD920DB}: NameServer = 195.242.208.40

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

 

--

End of file - 8534 bytes

Link to comment
Share on other sites
evilfantasy Newbie

evilfantasy

Posted
Posted

Hang in there Stixx. I'll be at my computer later, posting this from my iPod so can't really access everything I need to do malware removal. Also be sure to take So_sad's advice in the other topic. You have to either close out this topic or the one at the Avast forum.

Link to comment
Share on other sites
evilfantasy Newbie

evilfantasy

Posted
Posted

Open HijackThis and select Do a system scan only

 

Place a check mark next to the following entries: (if there)

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 ww.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 ww.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 ww.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 urs.microsoft.com

O1 - Hosts: 74.125.45.100 ww.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com

O1 - Hosts: 173.232.149.92 www.google.com

O1 - Hosts: 173.232.149.92 google.com

O1 - Hosts: 173.232.149.92 google.com.au

O1 - Hosts: 173.232.149.92 www.google.com.au

O1 - Hosts: 173.232.149.92 google.be

O1 - Hosts: 173.232.149.92 www.google.be

O1 - Hosts: 173.232.149.92 google.com.br

O1 - Hosts: 173.232.149.92 www.google.com.br

O1 - Hosts: 173.232.149.92 google.ca

O1 - Hosts: 173.232.149.92 www.google.ca

O1 - Hosts: 173.232.149.92 google.ch

O1 - Hosts: 173.232.149.92 www.google.ch

O1 - Hosts: 173.232.149.92 google.de

O1 - Hosts: 173.232.149.92 www.google.de

O1 - Hosts: 173.232.149.92 google.dk

O1 - Hosts: 173.232.149.92 www.google.dk

O1 - Hosts: 173.232.149.92 google.fr

O1 - Hosts: 173.232.149.92 www.google.fr

O1 - Hosts: 173.232.149.92 google.ie

O1 - Hosts: 173.232.149.92 www.google.ie

O1 - Hosts: 173.232.149.92 google.it

O1 - Hosts: 173.232.149.92 www.google.it

O1 - Hosts: 173.232.149.92 google.co.jp

O1 - Hosts: 173.232.149.92 www.google.co.jp

O1 - Hosts: 173.232.149.92 google.nl

O1 - Hosts: 173.232.149.92 www.google.nl

O1 - Hosts: 173.232.149.92 google.no

O1 - Hosts: 173.232.149.92 www.google.no

O1 - Hosts: 173.232.149.92 google.co.nz

O1 - Hosts: 173.232.149.92 www.google.co.nz

O1 - Hosts: 173.232.149.92 google.pl

O1 - Hosts: 173.232.149.92 www.google.pl

O1 - Hosts: 173.232.149.92 google.se

O1 - Hosts: 173.232.149.92 www.google.se

O1 - Hosts: 173.232.149.92 google.co.uk

O1 - Hosts: 173.232.149.92 www.google.co.uk

O1 - Hosts: 173.232.149.92 google.co.za

O1 - Hosts: 173.232.149.92 www.google.co.za

O1 - Hosts: 173.232.149.92 www.google-analytics.com

O1 - Hosts: 173.232.149.92 www.bing.com

O1 - Hosts: 173.232.149.92 search.yahoo.com

O1 - Hosts: 173.232.149.92 www.search.yahoo.com

O1 - Hosts: 173.232.149.92 uk.search.yahoo.com

O1 - Hosts: 173.232.149.92 ca.search.yahoo.com

O1 - Hosts: 173.232.149.92 de.search.yahoo.com

O1 - Hosts: 173.232.149.92 fr.search.yahoo.com

O1 - Hosts: 173.232.149.92 au.search.yahoo.com

O4 - HKLM\..\Run: [Dpivozabul] rundll32.exe \"C:\WINDOWS\osubasusevihe.dll\",Startup

O4 - HKCU\..\Run: [Vgamujililun] rundll32.exe \"C:\WINDOWS\dsetieqs.dll\",Startup

 

Important: Close all open windows except for HijackThis and then click Fix checked.

 

Once completed, exit HijackThis.

 

----------

 

Download OTM by OldTimer to your desktop.

 

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

 

* Save it to your Desktop.

* Double-click OTM.exe to run it.

* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

 

:Processes

:services

:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Dpivozabul"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Vgamujililun"-

:files
C:\WINDOWS\dsetieqs.dll
C:\WINDOWS\osubasusevihe.dll

:Commands
[resethosts]
[purity]
[createrestorepoint]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

* Click the red Moveit! button.

* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

 

* Close OTM

 

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

 

----------

 

 

If you already have ComboFix be sure to delete it and download a new copy.

 

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

 

Link #1

Link #2

 

**Note: It is important that it is saved directly to your Desktop

 

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

 

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. <- You don't have an antivirus installed! Why?

 

Double click combofix.exe & follow the prompts.

 

When finished ComboFix will produce a log for you.

Post the ComboFix log in your next reply.

 

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

 

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

 

If you have problems with ComboFix usage, see How to use ComboFix

Link to comment
Share on other sites
  • 2 weeks later...
Stixx Newbie

Stixx

Posted
  • Author
Posted

Hey evilfantasy, I just got home yesterday mourning I was out of town. I wanted to Thank You very much for helping me to get rid of that ERUNDLL error. It worked ! That combo fix I think did it. So I downloaded this virus program called Charter Security Suite cause we use charter for internet and it's free. One thing I noticed since yesterday is Now the computer is running totally slow. At start up when it begins to load my settings and also when shutting down. It seems to take forever. When I click on Firefox it takes like 2 minutes to load up......Would any of the programs I downloaded do anything to slow the computer down ? Again, I really want to Thank You for helping me with this. You definitely know your computers.

Link to comment
Share on other sites
Stixx Newbie

Stixx

Posted
  • Author
Posted

Evil, Here you go, 1. combo fix. Sorry bout that. I no longer have combo fix as per directions. Thank You Evil

 

ComboFix 10-06-01.01 - stephen 06/01/2010 16:19:11.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.726 [GMT -7:00]

Running from: c:\documents and settings\stephen.STEPHENADMIN\My Documents\Downloads\ComboFix.exe

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\documents and settings\All Users.WINDOWS\Application Data\213a261

c:\documents and settings\All Users.WINDOWS\Application Data\213a261\BackUp\LimeWire On Startup.lnk

c:\documents and settings\All Users.WINDOWS\Application Data\213a261\mozcrt19.dll

c:\documents and settings\All Users.WINDOWS\Application Data\213a261\MSE.ico

c:\documents and settings\All Users.WINDOWS\Application Data\213a261\MSESys\vd952342.bd

c:\documents and settings\All Users.WINDOWS\Application Data\213a261\sqlite3.dll

c:\documents and settings\All Users.WINDOWS\Application Data\Toolbar4

c:\documents and settings\stephen m\Local Settings\Application Data\{6ACD2D5A-184B-4096-81FB-9B69E1939F32}

c:\documents and settings\stephen m\Local Settings\Application Data\{6ACD2D5A-184B-4096-81FB-9B69E1939F32}\chrome.manifest

c:\documents and settings\stephen m\Local Settings\Application Data\{6ACD2D5A-184B-4096-81FB-9B69E1939F32}\chrome\content\_cfg.js

c:\documents and settings\stephen m\Local Settings\Application Data\{6ACD2D5A-184B-4096-81FB-9B69E1939F32}\chrome\content\overlay.xul

c:\documents and settings\stephen m\Local Settings\Application Data\{6ACD2D5A-184B-4096-81FB-9B69E1939F32}\install.rdf

c:\documents and settings\stephen.STEPHENADMIN\Recent\cb.drv

c:\documents and settings\stephen.STEPHENADMIN\Recent\cid.sys

c:\documents and settings\stephen.STEPHENADMIN\Recent\CLSV.drv

c:\documents and settings\stephen.STEPHENADMIN\Recent\CLSV.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\CLSV.sys

c:\documents and settings\stephen.STEPHENADMIN\Recent\DBOLE.sys

c:\documents and settings\stephen.STEPHENADMIN\Recent\ddv.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\eb.dll

c:\documents and settings\stephen.STEPHENADMIN\Recent\eb.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\energy.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\exec.drv

c:\documents and settings\stephen.STEPHENADMIN\Recent\fan.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\fix.sys

c:\documents and settings\stephen.STEPHENADMIN\Recent\FS.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\grid.drv

c:\documents and settings\stephen.STEPHENADMIN\Recent\kernel32.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\kernel32.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\PE.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\PE.sys

c:\documents and settings\stephen.STEPHENADMIN\Recent\ppal.drv

c:\documents and settings\stephen.STEPHENADMIN\Recent\runddlkey.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\runddlkey.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\SICKBOY.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\sld.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\SM.tmp

c:\documents and settings\stephen.STEPHENADMIN\Recent\snl2w.sys

c:\documents and settings\stephen.STEPHENADMIN\Recent\tempdoc.exe

c:\documents and settings\stephen.STEPHENADMIN\Recent\tjd.dll

c:\program files\Common Files\Uninstall

c:\program files\Common Files\Uninstall\PAV\Uninstall.lnk

c:\windows\abememapiqiyonox.dll

c:\windows\afeweturet.dll

c:\windows\ahaxanet.dll

c:\windows\ajekivegohekeva.dll

c:\windows\ajixohese.dll

c:\windows\akebexuy.dll

c:\windows\alagodini.dll

c:\windows\alogadag.dll

c:\windows\amovesebevaxitig.dll

c:\windows\anafepohebafi.dll

c:\windows\aqilutej.dll

c:\windows\ayisuxom.dll

c:\windows\edefiboq.dll

c:\windows\ehamusigegobe.dll

c:\windows\ejudefayoqevi.dll

c:\windows\ekituliv.dll

c:\windows\enagunewucobuh.dll

c:\windows\etuqijiw.dll

c:\windows\ikimilabef.dll

c:\windows\imixuwenanojowa.dll

c:\windows\ipaqoziyi.dll

c:\windows\itukiyitej.dll

c:\windows\iyaxazig.dll

c:\windows\ocuhepayukay.dll

c:\windows\ofozikagupise.dll

c:\windows\ojodotexaqak.dll

c:\windows\ojurukururul.dll

c:\windows\okedowurafoxos.dll

c:\windows\omukodado.dll

c:\windows\onowerecome.dll

c:\windows\oqojuyokuyepebeh.dll

c:\windows\oxolupav.dll

c:\windows\oxubelis.dll

c:\windows\ozanerokowucafo.dll

c:\windows\ozeluxocaciris.dll

c:\windows\system32\_000006_.tmp.dll

c:\windows\ulovamiwokojegig.dll

c:\windows\uqiqeyuhasaj.dll

c:\windows\uvukofeg.dll

c:\windows\uwewadilak.dll

c:\windows\uzuqotiwuvubomu.dll

 

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected

Restored copy from - Kitty had a snack :p

.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))

.

 

2010-06-01 00:23 . 2010-06-01 00:23 -------- d-----w- C:\_OTM

2010-05-31 23:56 . 2010-05-31 23:56 388096 ----a-r- c:\documents and settings\Test\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-05-31 11:06 . 2010-05-31 11:06 -------- d-----w- c:\program files\TrendMicro

2010-05-31 03:52 . 2010-05-31 03:52 -------- d-sh--w- c:\documents and settings\Guest.STEPHENADMIN\PrivacIE

2010-05-31 03:52 . 2010-05-31 03:52 -------- d-----w- c:\documents and settings\Guest.STEPHENADMIN\Local Settings\Application Data\Apple Computer

2010-05-29 23:12 . 2010-05-29 23:12 -------- d-----w- c:\program files\Trend Micro

2010-05-28 21:28 . 2010-05-28 21:28 -------- d-sh--w- c:\documents and settings\stephen.STEPHENADMIN\IECompatCache

2010-05-28 20:37 . 2010-05-28 20:37 -------- d-----w- c:\windows\Downloaded Installations

2010-05-26 04:56 . 2010-05-26 04:57 -------- dc-h--w- c:\windows\ie8

2010-05-23 19:40 . 2010-05-23 19:40 -------- d-s---w- c:\documents and settings\stephen m\UserData

2010-05-20 07:51 . 2010-05-20 07:51 -------- d-----w- c:\documents and settings\stephen m\Application Data\Malwarebytes

2010-05-19 14:20 . 2010-05-19 14:20 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\Malwarebytes

2010-05-19 14:20 . 2010-05-19 14:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-05-19 14:20 . 2010-06-01 23:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-05-18 08:10 . 2010-05-18 08:10 -------- d-sh--w- c:\documents and settings\stephen.STEPHENADMIN\PrivacIE

2010-05-18 05:37 . 2010-05-18 05:37 -------- d-----w- C:\SMILES, Faces

2010-05-18 05:31 . 2010-05-18 05:31 -------- d-sh--w- c:\documents and settings\Test\PrivacIE

2010-05-18 05:30 . 2010-05-18 05:30 -------- d-sh--w- c:\documents and settings\Test\IETldCache

2010-05-17 10:25 . 2010-05-17 10:25 -------- d-sh--w- c:\documents and settings\stephen m\PrivacIE

2010-05-17 10:25 . 2010-05-17 10:25 -------- d-sh--w- c:\documents and settings\stephen m\IECompatCache

2010-05-14 17:04 . 2010-05-14 17:04 -------- d-sh--w- c:\documents and settings\stephen m\IETldCache

2010-05-14 16:34 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-05-14 16:34 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-05-14 08:15 . 2010-05-14 08:15 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY.000\IETldCache

2010-05-14 08:14 . 2010-05-14 08:14 -------- d-----w- c:\documents and settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Temp

2010-05-13 21:45 . 2010-05-13 21:45 -------- d-sh--w- c:\documents and settings\stephen.STEPHENADMIN\IETldCache

2010-05-12 23:05 . 2004-08-04 06:10 61056 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys

2010-05-12 23:05 . 2004-08-04 06:10 61056 ----a-w- c:\windows\system32\drivers\ohci1394.sys

2010-05-12 22:02 . 2010-05-12 22:05 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Temp

2010-05-12 21:05 . 2010-05-13 17:26 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software

2010-05-12 21:05 . 2010-05-12 21:05 -------- d-----w- c:\program files\Alwil Software

2010-05-12 03:10 . 2010-05-12 08:29 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\Adobe

2010-05-11 21:50 . 2010-05-11 21:50 -------- d-----w- c:\documents and settings\Test\Application Data\f-secure

2010-05-11 21:43 . 2010-05-11 21:43 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\f-secure

2010-05-11 21:43 . 2010-05-11 21:43 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\F-Secure

2010-05-11 21:41 . 2010-05-20 22:10 -------- d-----w- c:\program files\Charter Security Suite

2010-05-10 18:28 . 2010-05-11 23:14 -------- d-----w- c:\documents and settings\stephen m\Application Data\f-secure

2010-05-10 08:44 . 2010-05-15 20:02 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\fssg

2010-05-10 06:15 . 2010-05-12 09:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\f-secure

2010-05-09 21:47 . 2010-05-09 21:47 -------- d-----w- c:\documents and settings\Test\Application Data\IObit

2010-05-09 03:30 . 2010-05-09 03:30 12328 ----a-w- c:\documents and settings\Test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-08 22:39 . 2010-05-08 22:39 -------- d-----w- c:\documents and settings\stephen m\Application Data\IObit

2010-05-08 22:12 . 2010-05-08 22:12 -------- d-----w- c:\documents and settings\Test\Local Settings\Application Data\{35435B99-6804-48F2-915E-36B3A9FD33B5}

2010-05-08 06:24 . 2010-05-08 06:24 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\MSTPSNUXUE

2010-05-08 06:21 . 2010-05-12 23:04 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Local Settings\Application Data\omsukyvah

2010-05-05 18:15 . 2010-05-11 19:23 0 ----a-w- c:\documents and settings\stephen m\Local Settings\Application Data\Vkocut.bin

2010-05-05 18:15 . 2010-05-08 21:46 120 ----a-w- c:\documents and settings\stephen m\Local Settings\Application Data\Bdisur.dat

2010-05-03 10:06 . 2010-05-13 09:18 2544 ----a-w- c:\windows\Bdisur.dat

2010-05-03 10:06 . 2010-05-08 08:35 0 ----a-w- c:\windows\Vkocut.bin

2010-05-03 10:05 . 2010-05-03 10:06 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Local Settings\Application Data\{724BFE7E-07D6-40BC-BD64-720CE6012A69}

2010-05-03 10:04 . 2010-05-03 10:04 84992 --sha-r- c:\windows\system32\tssoft325.dll

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-01 23:08 . 2009-11-28 13:46 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-01 23:08 . 2009-12-06 23:28 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\LimeWire

2010-05-31 05:57 . 2009-12-12 07:31 664 ----a-w- c:\documents and settings\stephen m\Local Settings\Application Data\d3d9caps.tmp

2010-05-31 03:52 . 2010-05-31 03:52 -------- d-----w- c:\documents and settings\Guest.STEPHENADMIN\Application Data\Apple Computer

2010-05-26 21:34 . 2009-12-03 17:15 12328 -c--a-w- c:\documents and settings\stephen.STEPHENADMIN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-22 08:15 . 2009-11-27 16:09 12328 -c--a-w- c:\documents and settings\stephen m\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-10 18:33 . 2010-04-24 22:41 -------- d-----w- c:\documents and settings\Test\Application Data\Apple Computer

2010-04-30 11:25 . 2009-10-06 17:51 -------- d-----w- c:\program files\iTunes

2010-04-30 11:25 . 2009-11-14 05:52 -------- d-----w- c:\program files\iPod

2010-04-30 11:21 . 2009-08-03 04:08 -------- d-----w- c:\program files\Bonjour

2010-04-30 11:16 . 2010-04-30 11:16 73000 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-27 17:37 . 2010-04-27 17:37 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\IObit

2010-04-27 17:37 . 2010-04-23 19:34 -------- d-----w- c:\program files\IObit

2010-04-24 00:55 . 2010-03-15 19:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2010-04-23 19:34 . 2010-04-23 19:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit

2010-04-23 19:28 . 2010-04-23 19:25 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\CBS Interactive

2010-04-23 19:25 . 2010-04-23 19:25 -------- d-----w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\OpenCandy

2010-04-23 19:25 . 2010-04-23 19:25 549590 ----a-w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\OpenCandy\OC1NSSstubWrapped.exe

2010-04-23 19:25 . 2010-04-23 19:25 257009 ----a-w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\OpenCandy\NSSDLMGR.exe

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-03-27 13:26 . 2010-03-27 13:26 49152 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-03-27 13:26 . 2010-03-27 13:26 40960 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-03-27 13:26 . 2010-03-27 13:26 341600 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-03-27 13:26 . 2010-03-27 13:26 308808 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-03-27 13:26 . 2010-03-27 13:26 14848 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-03-27 13:25 . 2009-11-29 03:28 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-03-27 13:25 . 2009-11-29 03:28 348160 ----a-w- c:\windows\system32\msvcr71.dll

2010-03-12 19:32 . 2010-03-12 19:32 497016 ----a-w- c:\documents and settings\stephen.STEPHENADMIN\Application Data\OpenCandy\NSSstub.exe

2010-03-10 06:15 . 2006-02-28 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-27 202256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

 

c:\documents and settings\stephen.STEPHENADMIN\Start Menu\Programs\Startup\

LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-16 503808]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/27/2009 7:18 PM 133104]

.

Contents of the 'Scheduled Tasks' folder

 

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

 

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 02:18]

 

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 02:18]

 

2010-04-24 c:\windows\Tasks\Install_NSS.job

- c:\documents and settings\stephen.STEPHENADMIN\Application Data\OpenCandy\NSSstub.exe [2010-03-12 19:32]

 

2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = <local>

TCP: {511AF471-4F5F-4506-8B7D-33239408EAE1} = 195.242.208.40

TCP: {92DA617D-43A4-4B4E-8955-34F1ABD920DB} = 195.242.208.40

DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe

FF - ProfilePath - c:\documents and settings\stephen.STEPHENADMIN\Application Data\Mozilla\Firefox\Profiles\6fgeb4bx.default\

FF - prefs.js: browser.startup.homepage -

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - component: c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: XULRunner: {724BFE7E-07D6-40BC-BD64-720CE6012A69} - c:\documents and settings\stephen.STEPHENADMIN\Local Settings\Application Data\{724BFE7E-07D6-40BC-BD64-720CE6012A69}

FF - HiddenExtension: XULRunner: {35435B99-6804-48F2-915E-36B3A9FD33B5} - c:\documents and settings\Test\Local Settings\Application Data\{35435B99-6804-48F2-915E-36B3A9FD33B5}

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

 

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{374D658D-FE8A-49A9-B36D-0E9F0980DDDC} - (no file)

 

 

 

**************************************************************************

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files:

 

**************************************************************************

.

Completion time: 2010-06-01 16:26:02

ComboFix-quarantined-files.txt 2010-06-01 23:26

 

Pre-Run: 65,324,212,224 bytes free

Post-Run: 65,473,724,416 bytes free

 

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

 

- - End Of File - - 24285FCD68F488E6084AB661002EADBC

Link to comment
Share on other sites
evilfantasy Newbie

evilfantasy

Posted
Posted

Delete your current version of ComboFix and download it again!

 

Download ComboFix© by sUBs from one of the below links. Be sure to save it to the Desktop.

 

Link #1

Link #2

 

**Note: It is important that it is saved directly to your Desktop

 

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

 

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

 

Double click combofix.exe & follow the prompts.

 

When finished ComboFix will produce a log for you.

Post the ComboFix log in your next reply.

 

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

 

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

 

If you have problems with ComboFix usage, see How to use ComboFix

Link to comment
Share on other sites
Stixx Newbie

Stixx

Posted
  • Author
Posted

Evil, I downloaded a first time and forgot to turn off firefox. So I did it again closing firefox and disabled charter security suite, here's the results.

 

ComboFix 10-06-13.01 - Stephen 45 06/14/2010 0:22.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.959.693 [GMT -7:00]

Running from: c:\documents and settings\Stephen 45\Desktop\ComboFix.exe

AV: Charter Security Suite 9.01 *On-access scanning disabled* (Updated) {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: Charter Security Suite 9.01 *disabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

 

((((((((((((((((((((((((( Files Created from 2010-05-14 to 2010-06-14 )))))))))))))))))))))))))))))))

.

 

2010-06-12 03:28 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-08 08:27 . 2010-06-08 21:02 -------- d-----w- c:\documents and settings\Stephen 45\Local Settings\Application Data\Adobe

2010-06-07 10:11 . 2010-06-07 10:11 -------- d-----w- c:\documents and settings\Stephen 45\Application Data\F-Secure

2010-06-06 06:54 . 2010-06-06 06:54 -------- d-----w- c:\documents and settings\Stephen 45\Local Settings\Application Data\Mozilla

2010-06-06 03:43 . 2010-06-06 03:43 -------- d-sh--w- c:\documents and settings\Stephen 45\PrivacIE

2010-06-06 03:43 . 2010-06-06 03:43 -------- d-----w- c:\documents and settings\Stephen 45\Application Data\Apple Computer

2010-06-06 03:43 . 2010-06-06 03:43 -------- d-----w- c:\documents and settings\Stephen 45\Local Settings\Application Data\Apple Computer

2010-06-03 13:07 . 2010-06-03 13:08 -------- d-----w- c:\documents and settings\Guest.STEPHENADMIN\Local Settings\Application Data\Adobe

2010-06-03 12:59 . 2010-06-03 12:59 -------- d-sh--w- c:\documents and settings\Guest.STEPHENADMIN\IECompatCache

2010-06-02 06:25 . 2010-06-02 06:32 33920 ----a-w- c:\windows\system32\drivers\fsbts.sys

2010-06-02 06:24 . 2009-08-05 15:57 80000 ----a-w- c:\windows\system32\drivers\fsdfw.sys

2010-06-01 00:23 . 2010-06-01 00:23 -------- d-----w- C:\_OTM

2010-05-31 11:06 . 2010-05-31 11:06 -------- d-----w- c:\program files\TrendMicro

2010-05-31 03:52 . 2010-05-31 03:52 -------- d-sh--w- c:\documents and settings\Guest.STEPHENADMIN\PrivacIE

2010-05-31 03:52 . 2010-05-31 03:52 -------- d-----w- c:\documents and settings\Guest.STEPHENADMIN\Local Settings\Application Data\Apple Computer

2010-05-31 03:52 . 2010-05-31 03:52 -------- d-----w- c:\documents and settings\Guest.STEPHENADMIN\Application Data\Apple Computer

2010-05-29 23:12 . 2010-05-29 23:12 -------- d-----w- c:\program files\Trend Micro

2010-05-28 20:37 . 2010-05-28 20:37 -------- d-----w- c:\windows\Downloaded Installations

2010-05-26 04:56 . 2010-05-26 04:57 -------- dc-h--w- c:\windows\ie8

2010-05-19 14:20 . 2010-05-19 14:20 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes

2010-05-18 05:37 . 2010-05-18 05:37 -------- d-----w- C:\SMILES, Faces

2010-05-18 05:31 . 2010-05-18 05:31 -------- d-sh--w- c:\documents and settings\Test\PrivacIE

2010-05-18 05:30 . 2010-05-18 05:30 -------- d-sh--w- c:\documents and settings\Test\IETldCache

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-13 22:39 . 2009-11-28 13:46 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-08 19:04 . 2009-08-03 04:08 -------- d-----w- c:\program files\Bonjour

2010-06-02 06:51 . 2010-05-11 21:41 -------- d-----w- c:\program files\Charter Security Suite

2010-06-02 06:24 . 2010-05-10 06:15 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\f-secure

2010-06-02 06:23 . 2010-05-10 08:44 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\fssg

2010-05-13 17:26 . 2010-05-12 21:05 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software

2010-05-13 09:18 . 2010-05-03 10:06 2544 ----a-w- c:\windows\Bdisur.dat

2010-05-12 21:05 . 2010-05-12 21:05 -------- d-----w- c:\program files\Alwil Software

2010-05-11 21:50 . 2010-05-11 21:50 -------- d-----w- c:\documents and settings\Test\Application Data\f-secure

2010-05-10 18:33 . 2010-04-24 22:41 -------- d-----w- c:\documents and settings\Test\Application Data\Apple Computer

2010-05-09 21:47 . 2010-05-09 21:47 -------- d-----w- c:\documents and settings\Test\Application Data\IObit

2010-05-09 03:30 . 2010-05-09 03:30 12328 ----a-w- c:\documents and settings\Test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-08 08:35 . 2010-05-03 10:06 0 ----a-w- c:\windows\Vkocut.bin

2010-05-08 06:24 . 2010-05-08 06:24 -------- d-sh--w- c:\documents and settings\All Users.WINDOWS\Application Data\MSTPSNUXUE

2010-05-06 10:41 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-03 10:04 . 2010-05-03 10:04 84992 --sha-r- c:\windows\system32\tssoft325.dll

2010-05-02 05:56 . 2006-02-28 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 11:25 . 2009-10-06 17:51 -------- d-----w- c:\program files\iTunes

2010-04-30 11:25 . 2009-11-14 05:52 -------- d-----w- c:\program files\iPod

2010-04-30 11:16 . 2010-04-30 11:16 73000 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe

2010-04-27 17:37 . 2010-04-23 19:34 -------- d-----w- c:\program files\IObit

2010-04-24 00:55 . 2010-03-15 19:28 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft

2010-04-23 19:34 . 2010-04-23 19:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\IObit

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll

2010-03-27 13:26 . 2010-03-27 13:26 49152 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll

2010-03-27 13:26 . 2010-03-27 13:26 45056 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll

2010-03-27 13:26 . 2010-03-27 13:26 40960 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll

2010-03-27 13:26 . 2010-03-27 13:26 341600 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll

2010-03-27 13:26 . 2010-03-27 13:26 308808 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll

2010-03-27 13:26 . 2010-03-27 13:26 14848 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

2010-03-27 13:25 . 2009-11-29 03:28 499712 ----a-w- c:\windows\system32\msvcp71.dll

2010-03-27 13:25 . 2009-11-29 03:28 348160 ----a-w- c:\windows\system32\msvcr71.dll

.

 

((((((((((((((((((((((((((((( SnapShot_2010-06-14_07.06.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-02-28 12:00 . 2010-06-14 07:15 73744 c:\windows\system32\perfc009.dat

+ 2006-02-28 12:00 . 2010-06-14 07:15 370664 c:\windows\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-07-27 61952]

"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2009-05-27 753664]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-27 202256]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

"F-Secure Manager"="c:\program files\Charter Security Suite\Common\FSM32.EXE" [2009-08-05 199264]

"F-Secure TNB"="c:\program files\Charter Security Suite\FSGUI\TNBUtil.exe" [2009-08-05 2349664]

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

"c:\\Program Files\\AirPort\\APAgent.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:UDP"= 5353:UDP:Bonjour

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

 

R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [6/1/2010 11:25 PM 33920]

R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [6/1/2010 11:24 PM 80000]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter Security Suite\HIPS\drivers\fshs.sys [6/1/2010 11:24 PM 68064]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys [6/1/2010 11:23 PM 113864]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/27/2009 7:18 PM 133104]

S3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [6/1/2010 11:24 PM 55992]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys [6/1/2010 11:23 PM 39776]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys [6/1/2010 11:23 PM 25184]

.

Contents of the 'Scheduled Tasks' folder

 

2010-05-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

 

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 02:18]

 

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-28 02:18]

 

2010-06-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-14 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1708537768-813497703-839522115-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1003.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1004.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1005.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1708537768-813497703-839522115-1008.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

 

2010-06-14 c:\windows\Tasks\Scheduled scanning task.job

- c:\progra~1\CHARTE~2\ANTI-V~1\fsav.exe [2010-06-02 15:56]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

LSP: c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL

TCP: {511AF471-4F5F-4506-8B7D-33239408EAE1} = 195.242.208.40

TCP: {92DA617D-43A4-4B4E-8955-34F1ABD920DB} = 195.242.208.40

DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} - hxxp://www.turntool.com/ViewerInstall.exe

FF - ProfilePath - c:\documents and settings\Stephen 45\Application Data\Mozilla\Firefox\Profiles\jcj3wrvv.default\

FF - prefs.js: browser.startup.homepage -

FF - component: c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll

FF - component: c:\program files\Charter Security Suite\NRS\litmus-ff@f-secure.com\components\litmus-ff.dll

FF - plugin: c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

 

**************************************************************************

 

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-14 00:26

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'winlogon.exe'(688)

c:\program files\charter security suite\hips\fshook32.dll

 

- - - - - - - > 'lsass.exe'(744)

c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL

c:\program files\charter security suite\hips\fshook32.dll

 

- - - - - - - > 'explorer.exe'(3112)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-06-14 00:28:04

ComboFix-quarantined-files.txt 2010-06-14 07:28

ComboFix2.txt 2010-06-14 07:07

ComboFix3.txt 2010-06-01 23:26

 

Pre-Run: 62,574,477,312 bytes free

Post-Run: 62,561,624,064 bytes free

 

- - End Of File - - 1F093DD93DBD5E719967038C45BB8074

Link to comment
Share on other sites
evilfantasy Newbie

evilfantasy

Posted
Posted

If you already have Malwarebytes be sure to update it before running the scan!

 

Download Malwarebytes' Anti-Malware (MBAM)

 

* Double-click mbam-setup.exe and follow the prompts to install the program.

* At the end, be sure a checkmark is placed next to the following:

 

* Update Malwarebytes' Anti-Malware

* Launch Malwarebytes' Anti-Malware

 

* Then click Finish

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform quick scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* Copy and Paste the entire report in your next reply.

 

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

 

----------

 

Also let me know how the computer is running now.

 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...