Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92374 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] spyware issue/ popups


  • This topic is locked This topic is locked
24 replies to this topic

#1 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 21 October 2009 - 10:54 AM

have scanned and cleaned with windows defender and turned popup blocker to high on IE. only happens under one user on computer. ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/10/21 11:44 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xEF4E2000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF8B65000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal[1].sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys Address: 0xEDD29000 Size: 49152 File Visible: No Signed: - Status: - ==EOF== DDS (Ver_09-06-26.01) - NTFSx86 Run by Administrator at 11:40:50.45 on Wed 10/21/2009 Internet Explorer: 6.0.2900.5512 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.209 [GMT -5:00] FW: Trend Micro Client-Server Security Agent Firewall *disabled* {31A6C61D-FF74-442B-8367-3CBD397BB4F9} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Motive\McciCMService.exe C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe C:\WINDOWS\system32\PSIService.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe C:\WINDOWS\TEMP\CH69EB.EXE C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe C:\Program Files\Canon\MyPrinter\BJMyPrt.exe C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Office\Office\1033\msoffice.exe C:\Program Files\Trend Micro\RUBotted\TMRUBottedLite.exe C:\Documents and Settings\Administrator.GONPH\Desktop\dds.scr ============== Pseudo HJT Report =============== uInternet Settings,ProxyOverride = *.local BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll uRun: [OM_Monitor] c:\program files\olympus\olympus master\Monitor.exe uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [OM_Monitor] c:\program files\olympus\olympus master\FirstStart.exe mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe" mRun: [SupportAnyPC] "c:\docume~1\admini~1.gon\locals~1\temp\winvnc.exe" -servicehelper mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe" mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe" mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1238536702538 DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238536693768 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ============= SERVICES / DRIVERS =============== R2 OfcPfwSvc;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\OfcPfwSvc.exe [2007-10-3 278608] R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2007-10-3 225296] R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2007-10-3 36368] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-10-18 206608] S2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-10-18 582992] S3 SupportAnyPC;SupportAnyPC Service;c:\docume~1\admini~1.gon\locals~1\temp\winvnc.exe [2004-9-8 499779] S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-10-18 206608] =============== Created Last 30 ================ 2009-10-21 07:32 <DIR> --d----- c:\program files\vazudufa 2009-10-21 07:32 <DIR> --d----- c:\program files\napuruya 2009-10-21 07:32 <DIR> --d----- c:\program files\kujonage 2009-10-21 07:31 <DIR> --d----- c:\program files\vujikuro 2009-10-21 07:31 <DIR> --d----- c:\program files\jonutunu 2009-10-21 07:31 <DIR> --d----- c:\program files\gadataji 2009-10-20 19:31 <DIR> --d----- c:\program files\yotenodo 2009-10-20 19:31 <DIR> --d----- c:\program files\tejoluze 2009-10-20 19:31 <DIR> --d----- c:\program files\buyenayo 2009-10-20 16:10 1,734 a------- C:\all 2009-10-20 07:31 <DIR> --d----- c:\program files\tehumihe 2009-10-20 07:31 <DIR> --d----- c:\program files\kidodize 2009-10-20 07:31 <DIR> --d----- c:\program files\hewuhevi 2009-10-19 13:02 <DIR> --d----- c:\program files\lohasaru 2009-10-19 13:02 <DIR> --d----- c:\program files\linogino 2009-10-18 00:07 206,608 a------- c:\windows\system32\drivers\TMPassthru.sys 2009-10-17 23:41 <DIR> --d----- c:\program files\mibewoja 2009-10-17 23:41 <DIR> --d----- c:\program files\fumupofo 2009-10-17 23:41 <DIR> --d----- c:\program files\dudeheru 2009-10-14 08:58 <DIR> --d----- c:\program files\wapizime 2009-10-14 08:58 <DIR> --d----- c:\program files\giruwili 2009-10-14 08:58 <DIR> --d----- c:\program files\bihofiye 2009-10-14 08:58 <DIR> --d----- c:\program files\yeyanido 2009-10-14 08:58 <DIR> --d----- c:\program files\ziwupidu 2009-10-14 08:58 <DIR> --d----- c:\program files\wojidiko 2009-10-14 08:58 <DIR> --d----- c:\program files\sadotawa 2009-10-13 20:57 <DIR> --d----- c:\program files\rivenape 2009-10-13 20:57 <DIR> --d----- c:\program files\mafopiwo 2009-10-13 20:57 <DIR> --d----- c:\program files\keyiguvu 2009-10-13 11:00 <DIR> --d----- c:\program files\common files\xing shared 2009-10-13 08:47 <DIR> --d----- c:\program files\punawuwu 2009-10-13 08:47 <DIR> --d----- c:\program files\kafawagi 2009-10-13 08:47 <DIR> --d----- c:\program files\bozuneyi 2009-10-13 08:47 <DIR> --d----- c:\program files\mupitera 2009-10-13 08:47 <DIR> --d----- c:\program files\veyekuke 2009-10-13 08:47 <DIR> --d----- c:\program files\vedofumu 2009-10-10 08:10 <DIR> --d----- c:\program files\kowogepu 2009-10-10 08:10 <DIR> --d----- c:\program files\jozuwitu 2009-10-10 08:10 <DIR> --d----- c:\program files\jivatusi 2009-10-10 08:09 <DIR> --d----- c:\program files\peritohu 2009-10-10 08:09 <DIR> --d----- c:\program files\titodopu 2009-10-10 08:09 <DIR> --d----- c:\program files\musikobe 2009-10-10 08:09 <DIR> --d----- c:\program files\godidusa 2009-10-09 15:27 153,088 -c------ c:\windows\system32\dllcache\triedit.dll 2009-10-09 15:24 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll 2009-10-09 15:23 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx 2009-10-09 10:56 <DIR> --d----- c:\program files\zopiwaka 2009-10-09 10:55 <DIR> --d----- c:\program files\milutamo 2009-10-09 10:55 <DIR> --d----- c:\program files\mezivado 2009-10-09 10:55 <DIR> --d----- c:\program files\lujurepu 2009-10-09 10:49 <DIR> --d----- c:\program files\tamereba 2009-10-09 10:49 <DIR> --d----- c:\program files\ruwayida 2009-10-09 10:49 <DIR> --d----- c:\program files\bumohupi 2009-10-03 02:23 195,440 -------- c:\windows\system32\MpSigStub.exe ==================== Find3M ==================== 2009-10-21 11:14 11,168 a---h--- c:\program files\lapinira 2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe 2009-07-28 23:37 119,808 a------- c:\windows\system32\t2embed.dll 2009-07-28 23:37 81,920 a------- c:\windows\system32\fontsub.dll 2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll 2007-11-04 17:54 88 ---shr-- c:\windows\system32\42527287DC.sys 2009-07-21 14:37 4,704 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 11:41:35.03 ===============

Attached Files


    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 25 October 2009 - 05:31 AM

Posted Image


DO NOT use any TOOLS such as Combofix, SmitfraudFix, MBAM, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.


Vista users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Posted Image
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Posted Image
  • Then click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.


Please don't attach the scans / logs, use "copy/paste". .

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 26 October 2009 - 05:37 PM

Malwarebytes' Anti-Malware 1.41
Database version: 3037
Windows 5.1.2600 Service Pack 3

10/26/2009 6:26:22 PM
mbam-log-2009-10-26 (18-26-22).txt

Scan type: Quick Scan
Objects scanned: 138672
Time elapsed: 15 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:35 PM, on 10/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\TEMP\OLE262.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedLite.exe
C:\Documents and Settings\Administrator.GONPH\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SupportAnyPC] "C:\DOCUME~1\ADMINI~1.GON\LOCALS~1\Temp\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238536702538
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1238536693768
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SupportAnyPC Service (SupportAnyPC) - Out of the Box Consulting, Inc. - C:\DOCUME~1\ADMINI~1.GON\LOCALS~1\Temp\winvnc.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8759 bytes


Overall, computer runs fairly normal, may be slighty slow. When using Doctor user, I get repeated pop ups whenever running IE. Usually a google add. Other users seem to work fine.

Thanks for your help, Brad

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 26 October 2009 - 05:54 PM

Do you know what the folders like these are? 2009-10-21 07:32 <DIR> --d----- c:\program files\vazudufa 2009-10-21 07:32 <DIR> --d----- c:\program files\napuruya 2009-10-21 07:32 <DIR> --d----- c:\program files\kujonage 2009-10-21 07:31 <DIR> --d----- c:\program files\vujikuro 2009-10-21 07:31 <DIR> --d----- c:\program files\jonutunu 2009-10-21 07:31 <DIR> --d----- c:\program files\gadataji 2009-10-20 19:31 <DIR> --d----- c:\program files\yotenodo 2009-10-20 19:31 <DIR> --d----- c:\program files\tejoluze 2009-10-20 19:31 <DIR> --d----- c:\program files\buyenayo

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 26 October 2009 - 08:09 PM

No I do not. Thought they may have been part of the issue, or atemp file of some sort. Did not want to delete without someone else telling me it was ok.

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 27 October 2009 - 05:40 AM

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 27 October 2009 - 02:16 PM

ComboFix 09-10-26.06 - Administrator 10/27/2009 13:28.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.235 [GMT -5:00]
Running from: c:\documents and settings\Administrator.GONPH\Desktop\ComboFix.exe
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {31A6C61D-FF74-442B-8367-3CBD397BB4F9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\doctor\Application Data\EurekaLog
c:\documents and settings\doctor\Application Data\EurekaLog\EurekaLog.ini
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\desktop
c:\windows\desktop\Instal~1.lnk

.
((((((((((((((((((((((((( Files Created from 2009-09-27 to 2009-10-27 )))))))))))))))))))))))))))))))
.

2009-10-27 18:17 . 2009-10-27 18:17 -------- d-----w- c:\windows\LastGood
2009-10-27 14:43 . 2009-10-27 14:43 -------- d-----w- c:\program files\yuhodose
2009-10-27 14:43 . 2009-10-27 14:43 -------- d-----w- c:\program files\rujidovo
2009-10-27 14:43 . 2009-10-27 14:43 -------- d-----w- c:\program files\kuvalepi
2009-10-27 14:42 . 2009-10-27 14:42 -------- d-----w- c:\program files\sodubudu
2009-10-27 14:42 . 2009-10-27 14:42 -------- d-----w- c:\program files\wiwuzoza
2009-10-27 14:42 . 2009-10-27 14:42 -------- d-----w- c:\program files\bunijufu
2009-10-26 23:10 . 2009-10-26 23:10 -------- d-----w- c:\documents and settings\Administrator.GONPH\Application Data\Malwarebytes
2009-10-26 23:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 23:09 . 2009-10-26 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 23:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 23:09 . 2009-10-27 12:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 16:12 . 2009-10-22 16:12 -------- d-----w- c:\program files\zowagoya
2009-10-22 16:12 . 2009-10-22 16:12 -------- d-----w- c:\program files\hodisuye
2009-10-21 16:36 . 2009-10-21 16:37 -------- d-----w- c:\program files\ERUNT
2009-10-21 12:32 . 2009-10-27 14:43 -------- d-----w- c:\program files\napuruya
2009-10-21 12:32 . 2009-10-27 14:43 -------- d-----w- c:\program files\kujonage
2009-10-21 12:32 . 2009-10-27 14:43 -------- d-----w- c:\program files\vazudufa
2009-10-21 12:31 . 2009-10-21 12:31 -------- d-----w- c:\program files\vujikuro
2009-10-21 12:31 . 2009-10-21 12:31 -------- d-----w- c:\program files\jonutunu
2009-10-21 12:31 . 2009-10-21 12:31 -------- d-----w- c:\program files\gadataji
2009-10-21 00:31 . 2009-10-21 00:31 -------- d-----w- c:\program files\yotenodo
2009-10-21 00:31 . 2009-10-21 00:31 -------- d-----w- c:\program files\tejoluze
2009-10-21 00:31 . 2009-10-21 00:31 -------- d-----w- c:\program files\buyenayo
2009-10-20 20:51 . 2009-10-20 20:51 -------- d-----w- c:\documents and settings\ElincAdmin\Local Settings\Application Data\Scansoft
2009-10-20 20:51 . 2009-10-20 20:51 -------- d-----w- c:\documents and settings\ElincAdmin\Local Settings\Application Data\Apple Computer
2009-10-20 20:51 . 2009-10-20 20:51 -------- d-----w- c:\documents and settings\ElincAdmin\Application Data\Xerox
2009-10-14 13:58 . 2009-10-21 12:32 -------- d-----w- c:\program files\wapizime
2009-10-14 13:58 . 2009-10-21 12:32 -------- d-----w- c:\program files\giruwili
2009-10-14 13:58 . 2009-10-21 12:32 -------- d-----w- c:\program files\bihofiye
2009-10-14 13:58 . 2009-10-18 04:42 -------- d-----w- c:\program files\yeyanido
2009-10-14 13:58 . 2009-10-14 13:58 -------- d-----w- c:\program files\wojidiko
2009-10-14 13:58 . 2009-10-14 13:58 -------- d-----w- c:\program files\ziwupidu
2009-10-13 13:47 . 2009-10-13 13:47 -------- d-----w- c:\program files\mupitera
2009-10-13 13:47 . 2009-10-20 13:57 -------- d-----w- c:\program files\vedofumu
2009-10-13 13:47 . 2009-10-13 13:47 -------- d-----w- c:\program files\veyekuke
2009-10-10 13:10 . 2009-10-13 13:47 -------- d-----w- c:\program files\jozuwitu
2009-10-10 13:10 . 2009-10-13 13:47 -------- d-----w- c:\program files\jivatusi
2009-10-10 13:10 . 2009-10-13 13:47 -------- d-----w- c:\program files\kowogepu
2009-10-10 13:09 . 2009-10-20 21:30 -------- d-----w- c:\program files\peritohu
2009-10-10 13:09 . 2009-10-10 13:09 -------- d-----w- c:\program files\titodopu
2009-10-10 13:09 . 2009-10-10 13:09 -------- d-----w- c:\program files\musikobe
2009-10-10 13:09 . 2009-10-10 13:09 -------- d-----w- c:\program files\godidusa
2009-10-09 22:29 . 2009-10-09 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-09 20:27 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-09 20:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-09 20:19 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-09 20:19 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-09 20:19 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-09 20:19 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-09 20:19 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-09 20:19 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-09 20:19 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-09 20:19 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-09 20:19 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-09 20:19 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-09 20:19 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-09 15:56 . 2009-10-09 15:56 -------- d-----w- c:\program files\zopiwaka
2009-10-09 15:55 . 2009-10-13 20:59 -------- d-----w- c:\program files\lujurepu
2009-10-09 15:55 . 2009-10-09 15:56 -------- d-----w- c:\program files\milutamo
2009-10-09 15:55 . 2009-10-09 15:55 -------- d-----w- c:\program files\mezivado
2009-10-09 15:49 . 2009-10-10 13:10 -------- d-----w- c:\program files\tamereba
2009-10-09 15:49 . 2009-10-10 13:10 -------- d-----w- c:\program files\ruwayida
2009-10-09 15:49 . 2009-10-10 13:10 -------- d-----w- c:\program files\bumohupi
2009-10-03 07:23 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 18:17 . 2007-10-03 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 18:17 . 2007-10-03 22:01 -------- d-----w- c:\program files\Trend Micro
2009-10-27 18:10 . 2009-07-09 15:49 11168 ---ha-w- c:\program files\lapinira
2009-10-20 20:51 . 2007-10-04 16:04 17896 ----a-w- c:\documents and settings\ElincAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-20 13:57 . 2009-10-14 01:57 -------- d-----w- c:\program files\keyiguvu
2009-10-20 12:31 . 2009-10-20 12:31 -------- d-----w- c:\program files\tehumihe
2009-10-20 12:31 . 2009-10-20 12:31 -------- d-----w- c:\program files\kidodize
2009-10-20 12:31 . 2009-10-20 12:31 -------- d-----w- c:\program files\hewuhevi
2009-10-19 18:02 . 2009-10-19 18:02 -------- d-----w- c:\program files\lohasaru
2009-10-19 18:02 . 2009-10-19 18:02 -------- d-----w- c:\program files\linogino
2009-10-18 04:41 . 2009-10-18 04:41 -------- d-----w- c:\program files\mibewoja
2009-10-18 04:41 . 2009-10-18 04:41 -------- d-----w- c:\program files\fumupofo
2009-10-18 04:41 . 2009-10-18 04:41 -------- d-----w- c:\program files\dudeheru
2009-10-14 13:58 . 2009-10-13 13:47 -------- d-----w- c:\program files\punawuwu
2009-10-14 13:58 . 2009-10-13 13:47 -------- d-----w- c:\program files\kafawagi
2009-10-14 13:58 . 2009-10-13 13:47 -------- d-----w- c:\program files\bozuneyi
2009-10-14 13:58 . 2009-10-14 13:58 -------- d-----w- c:\program files\sadotawa
2009-10-14 01:57 . 2009-10-14 01:57 -------- d-----w- c:\program files\rivenape
2009-10-14 01:57 . 2009-10-14 01:57 -------- d-----w- c:\program files\mafopiwo
2009-10-13 21:33 . 2007-10-12 18:36 -------- d-----w- c:\program files\Java
2009-10-13 16:01 . 2007-12-14 13:15 -------- d-----w- c:\program files\Common Files\Real
2009-10-13 16:00 . 2009-10-13 16:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-09 20:50 . 2009-01-02 20:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 18:02 . 2009-01-19 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-29 23:02 . 2009-07-29 23:02 17896 ----a-w- c:\documents and settings\tech\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-11-04 22:54 . 2007-11-04 22:07 88 --sh--r- c:\windows\system32\42527287DC.sys
2009-07-21 19:37 . 2007-10-03 23:54 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-03 372813]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-13 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-10-31 531784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1111\Scripts\Logon\0\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [10/3/2007 5:01 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [10/3/2007 5:01 PM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 SupportAnyPC;SupportAnyPC Service;"c:\docume~1\ADMINI~1.GON\LOCALS~1\Temp\winvnc.exe" -service --> c:\docume~1\ADMINI~1.GON\LOCALS~1\Temp\winvnc.exe [?]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-10-26 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-27 13:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(636)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-10-27 13:41
ComboFix-quarantined-files.txt 2009-10-27 18:41

Pre-Run: 11,707,928,576 bytes free
Post-Run: 14,416,125,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 20D44133357137F4210F38DBDD6ECD84

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:06 PM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\UWE4B3.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Documents and Settings\Administrator.GONPH\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238536702538
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1238536693768
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportAnyPC Service (SupportAnyPC) - Unknown owner - C:\DOCUME~1\ADMINI~1.GON\LOCALS~1\Temp\winvnc.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8635 bytes

Computer is about the same. Still getting pop ups under one user. Last pop up when I closed it IE tried to shut down.
Following info was given as to what was running when it crashed.

File: Flash 10c.OCX
Company: Adobe Systems Incorporated
Description: Adobe Flash Player

One other thing I have noticed that I forgot to mention last night is that when checking my yahoo mail as that same user It will frequently hang up and not let me view the next message, or do anything. Yahoo operates fine from other computers, and on this computer other users.

Thanks

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 27 October 2009 - 06:59 PM

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::
c:\program files\lapinira

Folder::
c:\program files\yuhodose
c:\program files\rujidovo
c:\program files\kuvalepi
c:\program files\sodubudu
c:\program files\wiwuzoza
c:\program files\bunijufu
c:\program files\zowagoya
c:\program files\hodisuye
c:\program files\ERUNT
c:\program files\napuruya
c:\program files\kujonage
c:\program files\vazudufa
c:\program files\vujikuro
c:\program files\jonutunu
c:\program files\gadataji
c:\program files\yotenodo
c:\program files\tejoluze
c:\program files\buyenayo
c:\program files\wapizime
c:\program files\giruwili
c:\program files\bihofiye
c:\program files\yeyanido
c:\program files\wojidiko
c:\program files\ziwupidu
c:\program files\mupitera
c:\program files\vedofumu
c:\program files\veyekuke
c:\program files\jozuwitu
c:\program files\jivatusi
c:\program files\kowogepu
c:\program files\peritohu
c:\program files\titodopu
c:\program files\musikobe
c:\program files\godidusa
c:\program files\zopiwaka
c:\program files\lujurepu
c:\program files\milutamo
c:\program files\mezivado
c:\program files\tamereba
c:\program files\ruwayida
c:\program files\bumohupi
c:\program files\keyiguvu
c:\program files\tehumihe
c:\program files\kidodize
c:\program files\hewuhevi
c:\program files\lohasaru
c:\program files\linogino
c:\program files\mibewoja
c:\program files\fumupofo
c:\program files\dudeheru
c:\program files\punawuwu
c:\program files\kafawagi
c:\program files\bozuneyi
c:\program files\sadotawa
c:\program files\rivenape
c:\program files\mafopiwo

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 28 October 2009 - 09:52 AM

ComboFix 09-10-27.07 - Administrator 10/28/2009 9:07.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.203 [GMT -5:00]
Running from: c:\documents and settings\Administrator.GONPH\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.GONPH\Desktop\CFScript.txt
FW: Trend Micro Client-Server Security Agent Firewall *disabled* {31A6C61D-FF74-442B-8367-3CBD397BB4F9}

FILE ::
"c:\program files\lapinira"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\bihofiye
c:\program files\bihofiye\bihofiye.dll.tmp
c:\program files\bozuneyi
c:\program files\bozuneyi\bozuneyi.dll.tmp
c:\program files\bumohupi
c:\program files\bumohupi\bumohupi.dll.tmp
c:\program files\bunijufu
c:\program files\bunijufu\bunijufu.dll
c:\program files\buyenayo
c:\program files\buyenayo\buyenayo.exe
c:\program files\dudeheru
c:\program files\dudeheru\dudeheru.dll
c:\program files\ERUNT
c:\program files\ERUNT\AUTOBACK.EXE
c:\program files\ERUNT\ERDNT.E_E
c:\program files\ERUNT\ERDNTDOS.LOC
c:\program files\ERUNT\ERDNTWIN.LOC
c:\program files\ERUNT\ERUNT.EXE
c:\program files\ERUNT\ERUNT.LOC
c:\program files\ERUNT\ERUNT.URL
c:\program files\ERUNT\LIESMICH.TXT
c:\program files\ERUNT\LOC_GER.ZIP
c:\program files\ERUNT\NTREGOPT.EXE
c:\program files\ERUNT\NTREGOPT.LOC
c:\program files\ERUNT\README.TXT
c:\program files\ERUNT\unins000.dat
c:\program files\ERUNT\unins000.exe
c:\program files\fumupofo
c:\program files\fumupofo\fumupofo.dll
c:\program files\gadataji
c:\program files\gadataji\gadataji.dll
c:\program files\giruwili
c:\program files\giruwili\giruwili.dll.tmp
c:\program files\godidusa
c:\program files\godidusa\godidusa.exe
c:\program files\hewuhevi
c:\program files\hewuhevi\hewuhevi.dll
c:\program files\hodisuye
c:\program files\jivatusi
c:\program files\jivatusi\jivatusi.dll.tmp
c:\program files\jonutunu
c:\program files\jonutunu\jonutunu.dll
c:\program files\jozuwitu
c:\program files\jozuwitu\jozuwitu.dll.tmp
c:\program files\kafawagi
c:\program files\kafawagi\kafawagi.dll.tmp
c:\program files\keyiguvu
c:\program files\kidodize
c:\program files\kidodize\kidodize.exe
c:\program files\kowogepu
c:\program files\kowogepu\kowogepu.dll.tmp
c:\program files\kujonage
c:\program files\kujonage\kujonage.dll.tmp
c:\program files\kuvalepi
c:\program files\kuvalepi\kuvalepi.dll
c:\program files\lapinira
c:\program files\linogino
c:\program files\linogino\linogino.dll
c:\program files\lohasaru
c:\program files\lohasaru\lohasaru.dll
c:\program files\lujurepu
c:\program files\mafopiwo
c:\program files\mafopiwo\mafopiwo.dll
c:\program files\mezivado
c:\program files\mezivado\mezivado.dll
c:\program files\mibewoja
c:\program files\mibewoja\mibewoja.exe
c:\program files\milutamo
c:\program files\mupitera
c:\program files\mupitera\mupitera.dll
c:\program files\musikobe
c:\program files\musikobe\musikobe.dll
c:\program files\napuruya
c:\program files\napuruya\napuruya.dll.tmp
c:\program files\peritohu
c:\program files\punawuwu
c:\program files\punawuwu\punawuwu.dll.tmp
c:\program files\rivenape
c:\program files\rujidovo
c:\program files\rujidovo\rujidovo.dll
c:\program files\ruwayida
c:\program files\ruwayida\ruwayida.dll.tmp
c:\program files\sadotawa
c:\program files\sadotawa\sadotawa.dll
c:\program files\sodubudu
c:\program files\sodubudu\sodubudu.dll
c:\program files\tamereba
c:\program files\tamereba\tamereba.dll.tmp
c:\program files\tehumihe
c:\program files\tehumihe\tehumihe.dll
c:\program files\tejoluze
c:\program files\tejoluze\tejoluze.dll
c:\program files\titodopu
c:\program files\titodopu\titodopu.dll
c:\program files\vazudufa
c:\program files\vazudufa\vazudufa.dll.tmp
c:\program files\vedofumu
c:\program files\veyekuke
c:\program files\veyekuke\veyekuke.dll
c:\program files\vujikuro
c:\program files\vujikuro\vujikuro.dll
c:\program files\wapizime
c:\program files\wapizime\wapizime.dll.tmp
c:\program files\wiwuzoza
c:\program files\wiwuzoza\wiwuzoza.dll
c:\program files\wojidiko
c:\program files\yeyanido
c:\program files\yotenodo
c:\program files\yotenodo\yotenodo.dll
c:\program files\yuhodose
c:\program files\yuhodose\yuhodose.dll
c:\program files\ziwupidu
c:\program files\ziwupidu\ziwupidu.dll
c:\program files\zopiwaka
c:\program files\zopiwaka\zopiwaka.dll
c:\program files\zowagoya
c:\program files\zowagoya\zowagoya.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))
.

2009-10-26 23:10 . 2009-10-26 23:10 -------- d-----w- c:\documents and settings\Administrator.GONPH\Application Data\Malwarebytes
2009-10-26 23:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-26 23:09 . 2009-10-26 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-26 23:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-26 23:09 . 2009-10-27 12:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 20:51 . 2009-10-20 20:51 -------- d-----w- c:\documents and settings\ElincAdmin\Local Settings\Application Data\Scansoft
2009-10-20 20:51 . 2009-10-20 20:51 -------- d-----w- c:\documents and settings\ElincAdmin\Local Settings\Application Data\Apple Computer
2009-10-20 20:51 . 2009-10-20 20:51 -------- d-----w- c:\documents and settings\ElincAdmin\Application Data\Xerox
2009-10-20 15:58 . 2009-10-20 15:58 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Adobe
2009-10-16 16:14 . 2009-10-16 16:14 -------- d-----w- c:\documents and settings\tech\Local Settings\Application Data\Identities
2009-10-14 20:31 . 2009-10-14 20:31 -------- d-s---w- c:\documents and settings\tech\UserData
2009-10-13 16:00 . 2009-10-13 16:00 -------- d-----w- c:\program files\Common Files\xing shared
2009-10-09 22:29 . 2009-10-09 22:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-09 20:27 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-10-09 20:24 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-10-09 20:19 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-10-09 20:19 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-10-09 20:19 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-10-09 20:19 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-10-09 20:19 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-10-09 20:19 . 2009-06-25 08:25 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-10-09 20:19 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-10-09 20:19 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-10-09 20:19 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-10-09 20:19 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-10-09 20:19 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-10-03 07:23 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-27 18:17 . 2007-10-03 17:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-27 18:17 . 2007-10-03 22:01 -------- d-----w- c:\program files\Trend Micro
2009-10-20 20:51 . 2007-10-04 16:04 17896 ----a-w- c:\documents and settings\ElincAdmin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-13 21:33 . 2007-10-12 18:36 -------- d-----w- c:\program files\Java
2009-10-13 16:01 . 2007-12-14 13:15 -------- d-----w- c:\program files\Common Files\Real
2009-10-09 20:50 . 2009-01-02 20:56 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-21 18:02 . 2009-01-19 20:05 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 20:07 . 2009-08-03 20:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 20:07 . 2009-08-03 20:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 20:07 . 2009-08-03 20:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2007-11-04 22:54 . 2007-11-04 22:07 88 --sh--r- c:\windows\system32\42527287DC.sys
2009-07-21 19:37 . 2007-10-03 23:54 4704 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe" [2005-11-03 372813]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-23 116040]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 79400]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-10-13 198160]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2007-10-31 531784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1111\Scripts\Logon\0\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1113\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\0\0]
"Script"=\\hdc\NETLOGON\Proc.Power.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\1\0]
"Script"=\\hdc\NETLOGON\ElincDash\ElincWKSDash.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\2\0]
"Script"=\\hdc\netlogon\Proc.Display.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\3\0]
"Script"=\\hdc\netlogon\Proc.Printers.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1478119072-2579398175-4031385270-1115\Scripts\Logon\4\0]
"Script"=\\hdc\NETLOGON\Proc.Wallpaper.VBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\Client Server Security Agent\TmXPFlt.sys [10/3/2007 5:01 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\Client Server Security Agent\tmpreflt.sys [10/3/2007 5:01 PM 36368]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-09-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 22:57]

2009-10-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ERUNT_is1 - c:\program files\ERUNT\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-28 09:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(944)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-10-28 9:22
ComboFix-quarantined-files.txt 2009-10-28 14:22
ComboFix2.txt 2009-10-27 19:49

Pre-Run: 14,325,358,592 bytes free
Post-Run: 14,320,005,120 bytes free

- - End Of File - - F86279B004BF9A774DB8E98E257485BF
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:24:14 AM, on 10/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator.GONPH\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcopho...stcoActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1238536702538
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1238536693768
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = GONPH.local
O17 - HKLM\Software\..\Telephony: DomainName = GONPH.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = GONPH.local
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\OfcPfwSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportAnyPC Service (SupportAnyPC) - Unknown owner - C:\DOCUME~1\ADMINI~1.GON\LOCALS~1\Temp\winvnc.exe (file missing)
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8361 bytes


Computer seems to be running much better, no popups seen in 2 hrs of being on line, and no problems with yahoo.

#10 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 28 October 2009 - 02:07 PM

One other thing I have noticed new is that when logging on to user that was having problems, I get the following error. Error loading C:\Program Files\rujidovo\rujidovo.dll The specified module could not be found.

    Advertisements

Register to Remove


#11 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 28 October 2009 - 02:12 PM

Are these scans run under that user login?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#12 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 28 October 2009 - 02:41 PM

no, they were run under administrator

#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 28 October 2009 - 02:43 PM

Can you run a combofix scan under that users login?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#14 83valentine

83valentine

    Authentic Member

  • Authentic Member
  • PipPip
  • 112 posts

Posted 28 October 2009 - 02:52 PM

No when I try to do it it asks me which user I want to run it under. If I choose current user it says an error has occured and locks up.

#15 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,180 posts

Posted 28 October 2009 - 02:56 PM

No when I try to do it it asks me which user I want to run it under. If I choose current user it says an error has occured and locks up.

Did you login as that user?
Does this user have local administrator rights?
Are you running Active Directory?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users