WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] 9 trojans, a worm, and corrupt antivirus! Help!

Started by StormyHaze , Nov 04 2009 12:55 AM

Page 4 of 6
2
3
4
5
6

This topic is locked

89 replies to this topic

#46 chamber

G2G Staff

Authentic Member
140 posts

Posted 11 November 2009 - 11:24 AM

Ok, as it is in a Temp folder lets try this,

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then re try it

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware.

Advertisements

Register to Remove

#47 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 11 November 2009 - 05:20 PM

I decided to try to update MalwareBytes rigfht after I posted my last post. It actually updated correctly!! So I decided to run it. I did a full system scan and it actually ran all the way through without a problem! It ran FOREVER and found 85 items and successfully deleted them. I think we may have gotten somewhere! Here's the log. :-) Malwarebytes' Anti-Malware 1.41 Database version: 3147 Windows 5.1.2600 Service Pack 3 11/11/2009 6:15:46 PM mbam-log-2009-11-11 (18-15-46).txt Scan type: Full Scan (C:\|) Objects scanned: 286343 Time elapsed: 6 hour(s), 7 minute(s), 37 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 8 Folders Infected: 1 Files Infected: 74 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully. Files Infected: C:\Documents and Settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c19.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000001.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000006.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000086.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000088.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000272.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000519.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001516.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001548.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002516.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002548.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002888.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002889.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002890.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002893.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002917.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002949.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004129.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004153.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004185.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004511.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004551.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004607.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0005575.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0006575.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0007575.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0007607.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0008575.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0008607.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009575.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009607.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009978.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009984.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0009990.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0010200.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0010213.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0010255.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0010618.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0010620.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0010635.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0011208.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0011239.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012208.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012240.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012582.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012614.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012958.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012984.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0013018.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0013084.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0013490.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0013523.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0013834.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0014225.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0014264.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0015203.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0015235.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0015595.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015690.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015774.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015836.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0015849.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0015861.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0015876.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0015896.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0016055.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0016095.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0016103.exe (Trojan.Riern) -> Quarantined and deleted successfully. C:\Combo-Fix\Combo-Fix.sys (Rootkit.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully. C:\Documents and Settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c1.dll (Hijack.Sound) -> Quarantined and deleted successfully. C:\Documents and Settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll (Hijack.Sound) -> Quarantined and deleted successfully. C:\Documents and Settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

#48 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 11 November 2009 - 05:58 PM

Okay, I just ran ATF then tried to run OTS again. I got the same error as last time. :-( One step forward two steps back haha. Also, I have the little yellow shield in the task bar that says I need to install updates for the computer. Should I do that?

#49 chamber

G2G Staff

Authentic Member
140 posts

Posted 12 November 2009 - 02:08 AM

Ok, Delete the copy of ComboFix that you have and then redownload it. Run it again and post the log back here.

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware.

#50 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 12 November 2009 - 10:25 AM

ComboFix ran without a hitch as well! :-)

*Edited to add that Windows updated and restarted by itself last night after I went to bed. Just thought you should know that.

Here's the log:

ComboFix 09-11-11.02 - Wenninger 11/12/2009 10:32.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.253 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 23:30 . 2009-11-12 16:05 16384 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-11 23:30 . 2009-11-11 23:30 103424 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-10 18:51 . 2009-11-10 18:51 7168 ----a-w- c:\windows\system32\drivers\utqxodiz.sys
2009-11-08 02:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:58 . 2009-11-08 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 02:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:16 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2008-10-16 04:59 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((( SnapShot_2009-11-07_18.21.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-30 10:11 . 2009-11-12 08:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:15 . 2009-11-12 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2002-09-30 10:15 . 2009-08-14 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-11-07 22:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-10-16 04:59 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\win32k.sys
+ 2004-10-25 15:39 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2008-10-14 17:48 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-09-30 20:11 . 2009-09-30 20:11 8409088 c:\windows\Installer\1df230c.msp
+ 2009-11-07 22:49 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2005-05-11 09:00 . 2009-11-05 17:36 26768832 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe" [2009-11-12 16384]
"rundll32.exe"="" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TBPSSvc"=2 (0x2)
"WinToolsSvc"=2 (0x2)
"MyWebSearchService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\skusbkbf.sys [7/27/2001 8:25 AM 14048]
S3 utqxodiz;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiz.sys [11/10/2009 1:51 PM 7168]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
*Deregistered* - PROCEXP113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{C62C59F5-FD1B-4823-805FE6BFD520860D}
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 11:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\windows\system32\wininet.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(508)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-11-12 11:22
ComboFix-quarantined-files.txt 2009-11-12 16:21
ComboFix2.txt 2009-11-08 01:01
ComboFix3.txt 2009-11-07 19:02
ComboFix4.txt 2009-11-06 20:42

Pre-Run: 14,401,196,032 bytes free
Post-Run: 14,349,197,312 bytes free

- - End Of File - - 7AF2B16A13D014DF5145F18E16BDBF6F

Edited by StormyHaze, 12 November 2009 - 10:27 AM.

#51 chamber

G2G Staff

Authentic Member
140 posts

Posted 12 November 2009 - 11:00 AM

Hi,

Good to know about the updates.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TBPSSvc"=-
"WinToolsSvc"=-
"MyWebSearchService"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"=-

Driver::
TBPSSvc
WinToolsSvc
MyWebSearchService

KILLALL::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware.

#52 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 12 November 2009 - 04:20 PM

Another thing went right! This is getting good! haha Heres the log:

ComboFix 09-11-13.02 - Wenninger 11/12/2009 15:32.6.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.176 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wenninger\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\msacm32.drv
c:\windows\sdfixwcs.dll
c:\windows\wuasirvy.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-11 23:30 . 2009-11-12 21:54 16384 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-11 23:30 . 2009-11-11 23:30 103424 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-10 18:51 . 2009-11-10 18:51 7168 ----a-w- c:\windows\system32\drivers\utqxodiz.sys
2009-11-08 02:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:58 . 2009-11-08 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 02:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:16 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-11 14:18 . 2008-10-16 04:59 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((( SnapShot_2009-11-07_18.21.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-30 10:11 . 2009-11-12 08:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2002-09-30 10:15 . 2009-11-12 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
- 2002-09-30 10:15 . 2009-08-14 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-11-07 22:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2008-10-16 04:59 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\win32k.sys
+ 2004-10-25 15:39 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2008-10-14 17:48 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-09-30 20:11 . 2009-09-30 20:11 8409088 c:\windows\Installer\1df230c.msp
+ 2009-11-07 22:49 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2005-05-11 09:00 . 2009-11-05 17:36 26768832 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe" [2009-11-12 16384]
"rundll32.exe"="" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"wave2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\skusbkbf.sys [7/27/2001 8:25 AM 14048]
S3 utqxodiz;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiz.sys [11/10/2009 1:51 PM 7168]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/19/2009 4:51 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{C62C59F5-FD1B-4823-805FE6BFD520860D}
.
Contents of the 'Scheduled Tasks' folder

2009-11-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-12 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 16:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(332)
c:\windows\system32\WININET.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-12 17:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 22:17
ComboFix2.txt 2009-11-12 16:22
ComboFix3.txt 2009-11-08 01:01
ComboFix4.txt 2009-11-07 19:02
ComboFix5.txt 2009-11-12 20:29

Pre-Run: 14,373,957,632 bytes free
Post-Run: 14,319,845,376 bytes free

- - End Of File - - DD3F7F33F509BD0171425188503784BE

#53 chamber

G2G Staff

Authentic Member
140 posts

Posted 13 November 2009 - 02:25 AM

Can you try OTL for me again?

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware.

#54 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 13 November 2009 - 10:58 AM

Tried OTL again. Same error and "Out of memory" problem. It did not finish.

#55 chamber

G2G Staff

Authentic Member
140 posts

Posted 13 November 2009 - 11:03 AM

Dang.

Just to let you know I'll be away from until Tuesday, I'll see about getting someone to cover this for you.

Run DDS for me again then.

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.

Once the update is complete, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, adware, dialers, and other riskware
- Archives
- E-mail databases
Click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View report... at the bottom.
Click the Save report... button.
Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Posted Image

watch me and tremble, for I bring the purity of oblivion

Sudo apt-get me a sandwich!

Proud graduate of GeekU

If I have helped you, please consider a donation to help continue the fight against malware.

Advertisements

Register to Remove

#56 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 13 November 2009 - 02:05 PM

Hi,

chamber has asked me to assist while he's away for the weekend:

if you don't mind, just put the instructions from chamber aside for now:

There is a little more work to do with combofix first:

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://forums.whatthetech.com/9_trojans_worm_corrupt_antivirus_Help_t108092.html

Collect::
c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
c:\windows\system32\drivers\utqxodiz.sys

KillAll::

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"="wdmaud.drv"
"midi1"="wdmaud.drv"
"mixer1"="wdmaud.drv"
"wave2"="wdmaud.drv"
"midi2"="wdmaud.drv"
"aux2"="wdmaud.drv"
"mixer2"="wdmaud.drv"
"aux1"="wdmaud.drv"

Driver::
utqxodiz

NetSvc::
{C62C59F5-FD1B-4823-805FE6BFD520860D}

DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: Allow combofix to update if it requests to do so

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#57 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 13 November 2009 - 06:36 PM

Hi there!

Thanks so much for helping! That online virus scan chamber asked me to run froze up about an hour and a half through it anyway. Also, just thought you should know, we got a new printer that my husband tried to install yesterday. It didnt install but a bunch of programs that go with it did. Here is the ComboFix log :

ComboFix 09-11-13.06 - Wenninger 11/13/2009 16:37.7.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.355 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wenninger\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

file zipped: c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
file zipped: c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
file zipped: c:\windows\system32\drivers\utqxodiz.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
c:\windows\system32\drivers\utqxodiz.sys

----- BITS: Possible infected sites -----

hxxp://pdisp01.c-wss.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_UTQXODIZ
-------\Service_utqxodiz

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-13 18:30 . 2009-11-13 18:30 152576 ----a-w- c:\documents and settings\Wenninger\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-12 22:56 . 2009-11-12 22:56 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Canon Easy-WebPrint EX
2009-11-12 22:55 . 2009-11-12 22:55 -------- d-----w- c:\program files\Common Files\CANON
2009-11-12 22:49 . 2009-11-12 23:16 -------- d-----w- c:\program files\Canon
2009-11-08 02:58 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 02:58 . 2009-11-08 02:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 02:58 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:16 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-07 20:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-13 18:32 . 2003-10-06 13:01 -------- d-----w- c:\program files\Java
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-11 09:17 . 2008-12-18 13:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18 . 2008-10-16 04:59 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2002-09-03 16:44 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2004-08-24 00:32 916480 ------w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2002-09-03 17:05 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.

((((((((((((((((((((((((((((( SnapShot_2009-11-07_18.21.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-13 22:19 . 2009-11-13 22:19 16384 c:\windows\temp\Perflib_Perfdata_5dc.dat
+ 2005-05-26 08:16 . 2009-08-07 00:24 44768 c:\windows\SYSTEM32\wups2.dll
+ 2004-08-03 18:59 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\wups.dll
+ 2005-01-06 03:11 . 2009-08-07 00:24 53472 c:\windows\SYSTEM32\wuauclt.exe
+ 2009-11-13 03:17 . 2009-08-07 00:24 44768 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-13 03:17 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2004-08-03 18:59 . 2009-08-07 00:24 35552 c:\windows\SYSTEM32\DLLCACHE\wups.dll
+ 2005-01-06 03:11 . 2009-08-07 00:24 53472 c:\windows\SYSTEM32\DLLCACHE\wuauclt.exe
+ 2002-09-03 16:28 . 2009-08-07 00:24 96480 c:\windows\SYSTEM32\DLLCACHE\cdm.dll
+ 2002-09-03 16:28 . 2009-08-07 00:24 96480 c:\windows\SYSTEM32\cdm.dll
- 2002-09-30 10:11 . 2009-11-06 19:28 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 45056 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\wordicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 22528 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\unbndico.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 16384 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\PEicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 34304 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\misc.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 3584 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\opwicon.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 8192 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\mspicons.exe
+ 2002-09-30 10:11 . 2009-11-12 08:05 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
- 2002-09-30 10:11 . 2009-11-06 19:28 2560 c:\windows\Installer\{911B0409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2004-08-03 18:59 . 2009-08-07 00:24 209632 c:\windows\SYSTEM32\wuweb.dll
+ 2004-08-03 19:02 . 2009-08-07 00:24 327896 c:\windows\SYSTEM32\wucltui.dll
+ 2004-08-03 19:00 . 2009-08-07 00:23 575704 c:\windows\SYSTEM32\wuapi.dll
+ 2009-11-13 18:32 . 2009-10-11 09:17 149280 c:\windows\SYSTEM32\javaws.exe
+ 2009-11-13 18:32 . 2009-10-11 09:17 145184 c:\windows\SYSTEM32\javaw.exe
+ 2009-11-13 18:32 . 2009-10-11 09:17 145184 c:\windows\SYSTEM32\java.exe
- 2002-09-30 10:15 . 2009-08-14 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2002-09-30 10:15 . 2009-11-12 08:12 411880 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2004-08-03 18:59 . 2009-08-07 00:24 209632 c:\windows\SYSTEM32\DLLCACHE\wuweb.dll
+ 2004-08-03 19:02 . 2009-08-07 00:24 327896 c:\windows\SYSTEM32\DLLCACHE\wucltui.dll
+ 2004-08-03 19:00 . 2009-08-07 00:23 575704 c:\windows\SYSTEM32\DLLCACHE\wuapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB976749-IE8\spuninst\updspapi.dll
+ 2009-11-07 22:49 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB976749-IE8\spuninst\spuninst.exe
+ 2005-01-06 03:11 . 2009-08-07 00:23 1929952 c:\windows\SYSTEM32\wuaueng.dll
+ 2008-10-16 04:59 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\win32k.sys
+ 2004-10-25 15:39 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\mshtml.dll
+ 2005-01-06 03:11 . 2009-08-07 00:23 1929952 c:\windows\SYSTEM32\DLLCACHE\wuaueng.dll
+ 2008-10-14 17:48 . 2009-08-14 13:21 1850624 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-19 15:08 . 2009-10-22 09:19 5939712 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2009-09-30 20:11 . 2009-09-30 20:11 8409088 c:\windows\Installer\1df230c.msp
+ 2009-11-07 22:49 . 2009-08-29 08:08 5940224 c:\windows\ie8updates\KB976749-IE8\mshtml.dll
+ 2005-05-11 09:00 . 2009-11-05 17:36 26768832 c:\windows\SYSTEM32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rundll32.exe"="" [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-03-23 1983816]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-17 767312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop

S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\SYSTEM32\DRIVERS\skusbkbf.sys [7/27/2001 8:25 AM 14048]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/19/2009 4:51 PM 24652]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]

2009-11-13 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-13 17:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp

- - - - - - - > 'explorer.exe'(308)
c:\windows\system32\WININET.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-13 17:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-13 22:43
ComboFix2.txt 2009-11-12 22:17
ComboFix3.txt 2009-11-12 16:22
ComboFix4.txt 2009-11-08 01:01
ComboFix5.txt 2009-11-13 21:35

Pre-Run: 14,189,043,712 bytes free
Post-Run: 14,246,047,744 bytes free

- - End Of File - - 46F6345541E241BD027FC7CD1C289CF6

#58 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 13 November 2009 - 06:55 PM

Hi,

Please do the following:

Please open your MalwareBytes AntiMalware Program
Click the Update Tab and search for updates
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activeX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

#59 StormyHaze

Authentic Member

Authentic Member
50 posts

Posted 13 November 2009 - 10:12 PM

Okay, I did everything. The computer is MUCH better than it was! I have it on selective startup and have most programs not starting when the computer starts though. If you think it is okay I will have it boot up normally. Also, my hubby had trouble installing the new printer but I scolded him because I was still working on the computer. He didn't know. So should I run things like normal now? Should I try to install the printer? You have been a great help! Heres the logs: MBAM: Malwarebytes' Anti-Malware 1.41 Database version: 3166 Windows 5.1.2600 Service Pack 3 11/13/2009 10:16:18 PM mbam-log-2009-11-13 (22-16-18).txt Scan type: Quick Scan Objects scanned: 122563 Time elapsed: 25 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ESET: ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=2a5702546bab0c42aff39c7764186622 # end=finished # remove_checked=false # archives_checked=true # unwanted_checked=true # unsafe_checked=true # antistealth_checked=true # utc_time=2009-11-14 03:57:56 # local_time=2009-11-13 10:57:56 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=514 16777214 0 1 159551942 159551942 0 0 # compatibility_mode=1024 16777215 100 0 0 0 0 0 # compatibility_mode=5891 16776869 100 100 0 12713551 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=53509 # found=0 # cleaned=0 # scan_time=2246

#60 CatByte

Classroom Administrator

Classroom Admin
21,060 posts

Posted 13 November 2009 - 10:21 PM

Hi, boot it normally, with all the programs running on start up. leave the printer for the moment till I'm sure your completely clean...I'd wade through all these pages, but it's easier for me to give you the link and download instructions again for DDS...so sorry if chamber already gave it to you

please do the following:

Please download DDS from LINK 1 or LINK 2
and save it to your desktop.

Disable any script blocking protection
Double click dds.pif to run the tool.
When done, two DDS.txt's will open.
Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Body Background

skin color theme