lesser-equity

Magazine
Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Infected with Iexplore.exe Virus Among Others

Register Site Spy Member List Donate Search Today's Posts Mark Forums Read Forum Rules

Register


 Default 

Infected with Iexplore.exe Virus Among Others




Reply
 
Thread Tools
  #1  
Old 22nd Apr 2009, 13:34
New Member Group
  
I was infected with the iexplore.exe virus either yesterday or a couple days ago, and I believe I got most of the problem taken care with the CCleaner, SAS, MBAM combination, but some things still seem a bit off, like my access to the internet which selectively craps out. Some of that was explained by the settings on Avast!, but they don't explain everything.

I'm running an up to date Windows XP
Was using an out of date Sophos up until yesterday, now I'm running Avast!
My main browser is Opera 9.64 (are there security issues with this browser?)


As you can see, I wiped out a lot of viruses yesterday. Can anyone give it a quick look over to see if I've got a clean bill of health?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/22/2009 at 07:38 AM

Application Version : 4.26.1000

Core Rules Database Version : 3857
Trace Rules Database Version: 1809

Scan type : Complete Scan
Total Scan Time : 04:45:19

Memory items scanned : 575
Memory threats detected : 5
Registry items scanned : 5599
Registry threats detected : 18
File items scanned : 82667
File threats detected : 30

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\LEHEBOFI.DLL
C:\WINDOWS\SYSTEM32\LEHEBOFI.DLL
C:\WINDOWS\SYSTEM32\LUFESOKO.DLL
C:\WINDOWS\SYSTEM32\LUFESOKO.DLL
C:\WINDOWS\SYSTEM32\KUPEBUKE.DLL
C:\WINDOWS\SYSTEM32\LORIZUZU.DLL

Adware.Vundo/Variant
C:\WINDOWS\SYSTEM32\WEGAGOLU.DLL
C:\WINDOWS\SYSTEM32\WEGAGOLU.DLL
C:\WINDOWS\SYSTEM32\TEHAYELA.DLL
C:\WINDOWS\SYSTEM32\TEHAYELA.DLL
C:\WINDOWS\SYSTEM32\GASOWIHU.DLL
C:\WINDOWS\SYSTEM32\GASOWIHU.DLL
HKU\S-1-5-21-3984618128-2522347335-1265690392-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{E072011A-80BB-457C-A4F0-469B58583BA1}
C:\WINDOWS\SYSTEM32\JOVIREHA.DLL
C:\WINDOWS\SYSTEM32\LOMEHUDA.DLL
C:\WINDOWS\SYSTEM32\NEZUSENA.DLL
C:\WINDOWS\SYSTEM32\SIBEPULO.DLL
C:\WINDOWS\SYSTEM32\TUBIVABO.DLL
C:\WINDOWS\SYSTEM32\WISEGAVA.DLL
C:\WINDOWS\SYSTEM32\YUWEFAYI.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler#{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad#SSODL
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}

Trojan.Vundo-Variant/NextGen
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{e072011a-80bb-457c-a4f0-469b58583ba1}
HKCR\CLSID\{E072011A-80BB-457C-A4F0-469B58583BA1}
HKCR\CLSID\{E072011A-80BB-457C-A4F0-469B58583BA1}\InprocServer32
HKCR\CLSID\{E072011A-80BB-457C-A4F0-469B58583BA1}\InprocServer32#ThreadingModel

Adware.Tracking Cookie
C:\Documents and Settings\Cory\Cookies\cory@realmedia[2].txt
C:\Documents and Settings\Cory\Cookies\cory@clickbank[1].txt
C:\Documents and Settings\Cory\Cookies\cory@enhance[2].txt

Trojan.Security Toolbar
C:\Documents and Settings\Cory\Favorites\Antivirus Test Online.url

Malware.SpywareQuake
C:\Program Files\SpywareQuake.com\blacklist.txt
C:\Program Files\SpywareQuake.com\ignored.lst
C:\Program Files\SpywareQuake.com\ref.dat
C:\Program Files\SpywareQuake.com\SpywareQuake.com.url
C:\Program Files\SpywareQuake.com

Rootkit.Unclassified/KR_Done
C:\WINDOWS\system32\vx.tll

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N

Rogue.Component/Trace
HKU\S-1-5-21-3984618128-2522347335-1265690392-1006\Software\Microsoft\FIAS4057

Adware.Vundo/Variant-SR
C:\WINDOWS\SYSTEM32\BEKEGOKO.DLL

Trace.Known Threat Sources
C:\Documents and Settings\Cory\Local Settings\Temporary Internet Files\Content.IE5\GTU3K9UZ\l.s.bg1z[1].gif
C:\Documents and Settings\Cory\Local Settings\Temporary Internet Files\Content.IE5\S56RCLIJ\l.s.bg2z[1].gif
C:\Documents and Settings\Cory\Local Settings\Temporary Internet Files\Content.IE5\0PEJCHYZ\favicon[1].ico
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0X6BKPI7\upgrade[1].cab
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODAJCD6Z\upgrade[1].cab
----------------------------------

Malwarebytes' Anti-Malware 1.36
Database version: 2026
Windows 5.1.2600 Service Pack 3

4/22/2009 1:56:24 PM
mbam-log-2009-04-22 (13-56-24).txt

Scan type: Quick Scan
Objects scanned: 69234
Time elapsed: 3 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bupodadazu (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\64028cb6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm6731bf2a (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\IDE21201.VXD (Adware.WinButler) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fevajeha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.



----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:14 PM, on 4/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\juice.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O1 - Hosts: .audio-surf.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [bupodadazu] Rundll32.exe "C:\WINDOWS\system32\tehayela.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [bupodadazu] Rundll32.exe "C:\WINDOWS\system32\tehayela.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase5483.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll c:\windows\system32\fevajeha.dll C:\WINDOWS\system32\wegagolu.dll c:\windows\system32\nezusena.dll c:\windows\system32\lomehuda.dll c:\windows\system32\wisegava.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 7929 bytes
  #2  
Old 22nd Apr 2009, 20:17
Moderator Group
  
Hello MidnightAurora.

You need to uninstall either McAfee or Avast. Two antivirus is never recommended and will just cause issues.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
  • O1 - Hosts: 82.98.231.89 url.adtrgt.com
  • O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
  • O1 - Hosts: .audio-surf.com
  • O4 - HKUS\S-1-5-19\..\Run: [bupodadazu] Rundll32.exe "C:\WINDOWS\system32\tehayela.dll",s (User 'LOCAL SERVICE')
  • O4 - HKUS\S-1-5-20\..\Run: [bupodadazu] Rundll32.exe "C:\WINDOWS\system32\tehayela.dll",s (User 'NETWORK SERVICE')
  • O20 - AppInit_DLLs: c:\program files\relevantknowledge\rlai.dll c:\windows\system32\fevajeha.dll C:\WINDOWS\system32\wegagolu.dll c:\windows\system32\nezusena.dll c:\windows\system32\lomehuda.dll c:\windows\system32\wisegava.dll

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download HostsXpert
  • Unzip HostXpert to your Desktop
  • Open up the HostXpert program.
  • Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
  • Click Create Back Up
  • Then click on Restore Microsoft's Host Files
  • Close the HostXpert program


Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

File::
C:\WINDOWS\system32\tehayela.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
  #3  
Old 23rd Apr 2009, 10:15
New Member Group
  
Thanks for the help. I have not yet uninstalled McAfee antivirus, but should I keep the firewall installed? Here's the log you requested:

ComboFix 09-04-23.A3 - Cory 04/23/2009 11:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.581 [GMT -5:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cory\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\tehayela.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ekubepuk.ini
c:\windows\system32\iyafewuy.ini
c:\windows\system32\okoseful.ini
c:\windows\system32\olupebis.ini
c:\windows\system32\uzuzirol.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-22 20:44 . 2009-04-22 20:44 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-22 20:44 . 2009-04-22 20:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-22 18:50 . 2009-04-22 18:50 -------- d-----w c:\documents and settings\Cory\Application Data\Malwarebytes
2009-04-22 18:50 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-22 18:50 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 18:50 . 2009-04-22 18:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 18:50 . 2009-04-22 18:50 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-22 07:47 . 2009-04-22 07:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-22 07:47 . 2009-04-22 07:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-22 07:47 . 2009-04-22 07:47 -------- d-----w c:\documents and settings\Cory\Application Data\SUPERAntiSpyware.com
2009-04-22 07:35 . 2009-04-22 07:35 -------- d-----w c:\program files\CCleaner
2009-04-21 17:55 . 2009-04-21 17:55 -------- d-----w c:\program files\Trend Micro
2009-04-21 17:55 . 2009-04-21 17:55 -------- d-----w c:\program files\Alwil Software
2009-04-21 17:27 . 2009-04-21 17:27 -------- d-----w c:\documents and settings\Cory\Application Data\Uniblue
2009-04-21 17:27 . 2009-04-21 20:58 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-15 05:02 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 05:02 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 05:02 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 05:02 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 05:02 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 05:02 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 05:02 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 05:02 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 05:02 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 05:02 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 05:01 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 05:01 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 05:01 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\system32\scripting
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\l2schemas
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\system32\en
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\system32\bits
2009-04-02 16:40 . 2009-04-02 16:40 -------- d-----w c:\windows\ServicePackFiles
2009-04-02 16:34 . 2009-04-02 16:34 -------- d-----w c:\windows\EHome
2009-04-02 16:20 . 2009-02-20 18:09 52224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-02 16:20 . 2009-02-20 18:09 459264 ------w c:\windows\system32\dllcache\msfeeds.dll
2009-04-02 16:20 . 2009-02-20 18:09 268288 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-02 16:20 . 2009-02-20 18:09 6066176 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-02 16:20 . 2009-02-20 10:20 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-02 16:20 . 2008-07-09 14:30 991232 ------w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-02 16:20 . 2009-02-20 18:09 63488 ------w c:\windows\system32\dllcache\icardie.dll
2009-04-02 16:20 . 2009-02-20 18:09 383488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-02 16:20 . 2008-07-09 14:25 2455488 ------w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-02 16:06 . 2009-04-02 16:06 -------- d-----w c:\program files\MSXML 4.0
2009-04-02 14:33 . 2004-08-04 03:41 1041536 ------w c:\windows\system32\drivers\hsfdpsp2.sys
2009-04-02 14:33 . 2004-08-04 03:41 685056 ------w c:\windows\system32\drivers\hsfcxts2.sys
2009-04-02 14:33 . 2004-08-04 03:41 220032 ------w c:\windows\system32\drivers\hsfbs2s2.sys
2009-04-02 14:33 . 2004-07-18 03:55 129045 ------w c:\windows\system32\drivers\cxthsfs2.cty
2009-04-02 14:21 . 2008-06-13 11:05 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-02 14:20 . 2009-02-06 11:08 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-02 14:20 . 2009-02-06 11:06 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-02 14:20 . 2009-02-08 00:02 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-02 14:20 . 2009-02-06 10:32 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-02 14:20 . 2009-02-20 18:09 3595264 ------w c:\windows\system32\dllcache\mshtml.dll
2009-04-02 14:19 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-04-02 14:19 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-02 14:18 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-04-02 14:18 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-04-02 14:18 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-04-02 14:18 . 2008-10-03 10:02 247326 ------w c:\windows\system32\dllcache\strmdll.dll
2009-04-02 14:18 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-04-02 14:18 . 2008-09-04 17:15 1106944 ------w c:\windows\system32\dllcache\msxml3.dll
2009-04-02 14:17 . 2008-07-09 07:38 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-04-01 04:14 . 2009-04-01 04:17 -------- d-----w c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-22 20:44 . 2005-08-17 06:14 -------- d-----w c:\program files\Java
2009-04-22 12:28 . 2009-01-22 12:28 46592 --sha-w c:\windows\system32\siyizene.exe
2009-04-22 12:10 . 2009-01-22 12:10 46592 --sha-w c:\windows\system32\kulokuha.exe
2009-04-22 11:45 . 2009-01-22 11:45 46592 --sha-w c:\windows\system32\hubejija.exe
2009-04-22 11:22 . 2009-01-22 11:22 47104 --sha-w c:\windows\system32\rawonalo.exe
2009-04-22 07:46 . 2006-06-22 00:33 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-22 02:09 . 2006-06-08 00:23 -------- d-----w c:\documents and settings\Cory\Application Data\uTorrent
2009-04-21 23:04 . 2009-01-21 23:04 47616 --sha-w c:\windows\system32\bivayuye.exe
2009-04-21 20:59 . 2008-03-06 16:58 -------- d-----w c:\program files\Phun
2009-04-21 20:58 . 2006-06-14 00:55 -------- d-----w c:\program files\Sophos
2009-04-21 11:08 . 2008-02-01 07:03 -------- d-----w c:\program files\Full Tilt Poker
2009-04-21 11:04 . 2009-01-21 11:04 47104 --sha-w c:\windows\system32\logalaja.exe
2009-04-21 07:37 . 2005-08-19 21:33 47768 ----a-w c:\documents and settings\Cory\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 16:45 . 2004-08-10 18:03 77859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-02 16:37 . 2004-08-10 17:51 250048 --sha-r C:\ntldr
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-20 23:54 . 2006-06-22 00:34 0 ----a-w C:\CreateMarkers.log
2009-03-08 17:35 . 2009-03-08 17:34 -------- d-----w c:\program files\Incomplete
2009-03-08 17:34 . 2007-01-03 05:51 -------- d-----w c:\program files\LimeWire
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 01:35 . 2005-08-31 03:03 -------- d-----w c:\program files\Opera
2009-03-03 00:18 . 2009-04-02 14:21 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2007-08-13 23:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-08-13 23:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 22:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2009-02-09 11:13 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 17:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll
2006-02-06 23:10 . 2006-02-06 23:10 127 ----a-w c:\documents and settings\Cory\Local Settings\Application Data\fusioncache.dat
2009-01-21 10:58 . 2009-01-21 10:58 50688 --sha-w c:\windows\system32\bemadoko.dll.tmp
2006-03-31 23:19 . 2006-03-24 17:42 56 --sh--r c:\windows\system32\E3C3EC6C26.sys
2006-03-31 23:19 . 2006-03-24 17:42 1682 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-01-21 10:58 . 2009-01-21 10:58 50688 --sha-w c:\windows\system32\soluvubu.dll.tmp
2009-01-21 10:58 . 2009-01-21 10:58 50688 --sha-w c:\windows\system32\yawususi.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 148888]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent .exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupda te.exe" [2006-01-11 212992]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray. exe" [2005-11-11 1005096]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Cory\\Desktop\\Torrents\\utorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswF sBlk.sys [2009-02-05 20560]

.
Contents of the 'Scheduled Tasks' folder

2006-02-21 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 12:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3F D-5C60-46a6-97D7-E0B85DBDD6C4}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\nezusena.dll"
"ThreadingModel"="Both"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3700)
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-04-23 12:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 17:10

Pre-Run: 60,008,562,688 bytes free
Post-Run: 59,933,204,480 bytes free

239 --- E O F --- 2009-04-15 19:03
  #4  
Old 23rd Apr 2009, 10:31
Moderator Group
  
As long as you only have 1 antivirus and 1 firewall then you are OK.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:
KillAll::

RegLockDel::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}]
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
__________________
  #5  
Old 24th Apr 2009, 14:36
New Member Group
  
Sorry for the delay. In the greatest example of Murphy's Law I've ever seen, my building's internet went down not 5 seconds after I completed your last direction...

I had a question about the Opera internet browser. It seems to handle a lot of plug-ins and file-types differently, especially in regards to Java and ActiveX. Is it any more or less secure than Firefox and IE?

Log:


ComboFix 09-04-23.A3 - Cory 04/23/2009 14:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.626 [GMT -5:00]
Running from: c:\documents and settings\Cory\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cory\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1335 [VPS 090423-0] *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-05-23 to 2009-4-23 )))))))))))))))))))))))))))))))
.

2009-04-22 20:44 . 2009-04-22 20:44 73728 ----a-w c:\windows\system32\javacpl.cpl
2009-04-22 20:44 . 2009-04-22 20:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-22 18:50 . 2009-04-22 18:50 -------- d-----w c:\documents and settings\Cory\Application Data\Malwarebytes
2009-04-22 18:50 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-22 18:50 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-22 18:50 . 2009-04-22 18:50 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-22 18:50 . 2009-04-22 18:50 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-22 07:47 . 2009-04-22 07:47 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-22 07:47 . 2009-04-22 07:48 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-22 07:47 . 2009-04-22 07:47 -------- d-----w c:\documents and settings\Cory\Application Data\SUPERAntiSpyware.com
2009-04-22 07:35 . 2009-04-22 07:35 -------- d-----w c:\program files\CCleaner
2009-04-21 17:55 . 2009-04-21 17:55 -------- d-----w c:\program files\Trend Micro
2009-04-21 17:55 . 2009-04-21 17:55 -------- d-----w c:\program files\Alwil Software
2009-04-21 17:27 . 2009-04-21 17:27 -------- d-----w c:\documents and settings\Cory\Application Data\Uniblue
2009-04-21 17:27 . 2009-04-21 20:58 -------- dc-h--w c:\documents and settings\All Users\Application Data\~0
2009-04-15 05:02 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-15 05:02 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 05:02 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-15 05:02 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 05:02 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 05:02 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 05:02 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 05:02 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-15 05:02 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 05:02 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 05:01 . 2009-03-27 06:58 1203922 ------w c:\windows\system32\dllcache\sysmain.sdb
2009-04-15 05:01 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 05:01 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\system32\scripting
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\l2schemas
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\system32\en
2009-04-02 16:43 . 2009-04-02 16:43 -------- d-----w c:\windows\system32\bits
2009-04-02 16:40 . 2009-04-02 16:40 -------- d-----w c:\windows\ServicePackFiles
2009-04-02 16:34 . 2009-04-02 16:34 -------- d-----w c:\windows\EHome
2009-04-02 16:20 . 2009-02-20 18:09 52224 ------w c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-02 16:20 . 2009-02-20 18:09 459264 ------w c:\windows\system32\dllcache\msfeeds.dll
2009-04-02 16:20 . 2009-02-20 18:09 268288 ------w c:\windows\system32\dllcache\iertutil.dll
2009-04-02 16:20 . 2009-02-20 18:09 6066176 ------w c:\windows\system32\dllcache\ieframe.dll
2009-04-02 16:20 . 2009-02-20 10:20 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-04-02 16:20 . 2008-07-09 14:30 991232 ------w c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-02 16:20 . 2009-02-20 18:09 63488 ------w c:\windows\system32\dllcache\icardie.dll
2009-04-02 16:20 . 2009-02-20 18:09 383488 ------w c:\windows\system32\dllcache\ieapfltr.dll
2009-04-02 16:20 . 2008-07-09 14:25 2455488 ------w c:\windows\system32\dllcache\ieapfltr.dat
2009-04-02 16:06 . 2009-04-02 16:06 -------- d-----w c:\program files\MSXML 4.0
2009-04-02 14:33 . 2004-08-04 03:41 1041536 ------w c:\windows\system32\drivers\hsfdpsp2.sys
2009-04-02 14:33 . 2004-08-04 03:41 685056 ------w c:\windows\system32\drivers\hsfcxts2.sys
2009-04-02 14:33 . 2004-08-04 03:41 220032 ------w c:\windows\system32\drivers\hsfbs2s2.sys
2009-04-02 14:33 . 2004-07-18 03:55 129045 ------w c:\windows\system32\drivers\cxthsfs2.cty
2009-04-02 14:21 . 2008-06-13 11:05 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-02 14:20 . 2009-02-06 11:08 2189056 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-04-02 14:20 . 2009-02-06 11:06 2145280 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-04-02 14:20 . 2009-02-08 00:02 2066048 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-04-02 14:20 . 2009-02-06 10:32 2023936 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-04-02 14:20 . 2009-02-20 18:09 3595264 ------w c:\windows\system32\dllcache\mshtml.dll
2009-04-02 14:19 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-04-02 14:19 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-04-02 14:18 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-04-02 14:18 . 2008-05-01 14:33 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-04-02 14:18 . 2008-04-11 19:04 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-04-02 14:18 . 2008-10-03 10:02 247326 ------w c:\windows\system32\dllcache\strmdll.dll
2009-04-02 14:18 . 2008-10-15 16:34 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-04-02 14:18 . 2008-09-04 17:15 1106944 ------w c:\windows\system32\dllcache\msxml3.dll
2009-04-02 14:17 . 2008-07-09 07:38 26488 ----a-w c:\windows\system32\spupdsvc.exe
2009-04-01 04:14 . 2009-04-01 04:17 -------- d-----w c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-22 20:44 . 2005-08-17 06:14 -------- d-----w c:\program files\Java
2009-04-22 12:28 . 2009-01-22 12:28 46592 --sha-w c:\windows\system32\siyizene.exe
2009-04-22 12:10 . 2009-01-22 12:10 46592 --sha-w c:\windows\system32\kulokuha.exe
2009-04-22 11:45 . 2009-01-22 11:45 46592 --sha-w c:\windows\system32\hubejija.exe
2009-04-22 11:22 . 2009-01-22 11:22 47104 --sha-w c:\windows\system32\rawonalo.exe
2009-04-22 07:46 . 2006-06-22 00:33 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-22 02:09 . 2006-06-08 00:23 -------- d-----w c:\documents and settings\Cory\Application Data\uTorrent
2009-04-21 23:04 . 2009-01-21 23:04 47616 --sha-w c:\windows\system32\bivayuye.exe
2009-04-21 20:59 . 2008-03-06 16:58 -------- d-----w c:\program files\Phun
2009-04-21 20:58 . 2006-06-14 00:55 -------- d-----w c:\program files\Sophos
2009-04-21 11:08 . 2008-02-01 07:03 -------- d-----w c:\program files\Full Tilt Poker
2009-04-21 11:04 . 2009-01-21 11:04 47104 --sha-w c:\windows\system32\logalaja.exe
2009-04-21 07:37 . 2005-08-19 21:33 47768 ----a-w c:\documents and settings\Cory\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-02 16:45 . 2004-08-10 18:03 77859 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-02 16:37 . 2004-08-10 17:51 250048 --sha-r C:\ntldr
2009-03-21 14:06 . 2009-03-21 14:06 989696 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-20 23:54 . 2006-06-22 00:34 0 ----a-w C:\CreateMarkers.log
2009-03-08 17:35 . 2009-03-08 17:34 -------- d-----w c:\program files\Incomplete
2009-03-08 17:34 . 2007-01-03 05:51 -------- d-----w c:\program files\LimeWire
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-05 01:35 . 2005-08-31 03:03 -------- d-----w c:\program files\Opera
2009-03-03 00:18 . 2009-04-02 14:21 826368 ------w c:\windows\system32\dllcache\wininet.dll
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-28 04:54 . 2007-08-13 23:43 636072 ------w c:\windows\system32\dllcache\iexplore.exe
2009-02-20 10:20 . 2007-08-13 23:39 70656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2009-02-20 05:14 . 2007-08-13 22:56 161792 ------w c:\windows\system32\dllcache\ieakui.dll
2009-02-09 12:10 . 2004-08-10 17:51 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-10 17:51 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-10 17:51 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-10 17:50 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2009-02-09 11:13 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-10 17:51 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-10 17:51 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-10 17:51 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-10 17:51 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 03:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2009-02-03 19:59 56832 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 19:59 . 2004-08-10 17:51 56832 ----a-w c:\windows\system32\secur32.dll
2006-02-06 23:10 . 2006-02-06 23:10 127 ----a-w c:\documents and settings\Cory\Local Settings\Application Data\fusioncache.dat
2009-01-21 10:58 . 2009-01-21 10:58 50688 --sha-w c:\windows\system32\bemadoko.dll.tmp
2006-03-31 23:19 . 2006-03-24 17:42 56 --sh--r c:\windows\system32\E3C3EC6C26.sys
2006-03-31 23:19 . 2006-03-24 17:42 1682 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-01-21 10:58 . 2009-01-21 10:58 50688 --sha-w c:\windows\system32\soluvubu.dll.tmp
2009-01-21 10:58 . 2009-01-21 10:58 50688 --sha-w c:\windows\system32\yawususi.dll.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_17.03.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-23 19:44 . 2009-04-23 19:44 16384 c:\windows\Temp\Perflib_Perfdata_588.dat
+ 2009-04-23 19:44 . 2009-04-23 19:44 16384 c:\windows\Temp\Perflib_Perfdata_4ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-22 148888]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-15 344064]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent .exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupda te.exe" [2006-01-11 212992]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray. exe" [2005-11-11 1005096]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 17:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NovaLogic\\Joint Operations Typhoon Rising\\Jointops.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Cory\\Desktop\\Torrents\\utorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 aswSP;avast! Self Protection; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswF sBlk.sys [2009-02-05 20560]

.
Contents of the 'Scheduled Tasks' folder

2006-02-21 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-23 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2208)
c:\windows\system32\mshtml.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Alwil Software\Avast4\Setup\avast.setup
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\McAfee.com\PERSON~1\MpfService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\progra~1\McAfee.com\PERSON~1\MpfAgent.exe
.
************************************************** ************************
.
Completion time: 2009-04-23 14:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-23 19:51
ComboFix2.txt 2009-04-23 17:10

Pre-Run: 59,915,583,488 bytes free
Post-Run: 59,902,861,312 bytes free

231 --- E O F --- 2009-04-15 19:03
  #6  
Old 24th Apr 2009, 15:14
Moderator Group
  
Quote:
I had a question about the Opera internet browser. It seems to handle a lot of plug-ins and file-types differently, especially in regards to Java and ActiveX. Is it any more or less secure than Firefox and IE?
It's as safe as any browser, maybe a bit more than IE but it really comes down to what you do. Downloading and surfing wisely is always the best practice.

  • Click START then RUN
  • Now type Combofix /u in the runbox
  • Make sure there's a space between Combofix and /u
  • Then hit Enter.
The above procedure will:
  • Delete:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Set a new, clean Restore Point.


----------

Scan with Panda ActiveScan 2.0

This scanner requires Internet Explorer

  • Once you are on the Panda site click the Scan your PC now button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Select the appropriate Yes or No to receiving marketing information
  • Click the Free Online Scan button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


Post the contents of the ActiveScan report in your next reply.
__________________
  #7  
Old 30th Apr 2009, 15:24
New Member Group
  
;************************************************* ************************************************** ************************************************** ******************************
ANALYSIS: 2009-04-30 13:36:07
PROTECTIONS: 1
MALWARE: 11
SUSPECTS: 0
;************************************************* ************************************************** ************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;================================================= ================================================== ================================================== ==============================
avast! antivirus 4.8.1335 [VPS 090429-0] 4.8.1335 No Yes
;================================================= ================================================== ================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;================================================= ================================================== ================================================== ==============================
00041558 exploit/mhtredir.gen HackTools No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ext\Stats\{527196A4-B1A3-4647-931D-37BA5AF23037}
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@casalemedia[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@ad.yieldmanager[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@bs.serving-sys[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@realmedia[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Cory\Cookies\cory@zedo[2].txt
00800074 Trj/Downloader.VTG Virus/Trojan No 0 Yes No C:\WINDOWS\system32\logalaja.exe
;================================================= ================================================== ================================================== ==============================
SUSPECTS
Sent Location c
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================
VULNERABILITIES
Id Severity Description c
;================================================= ================================================== ================================================== ==============================
;================================================= ================================================== ================================================== ==============================

Some of these were taken care of by avast!.

Edit: Ran CCleaner and took care of all the cookies.
  #8  
Old 30th Apr 2009, 15:36
Moderator Group
  
Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:
:Processes
explorer.exe

:services

:reg
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{527196A4-B1A3-4647-931D-37BA5AF23037}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}]

:files
C:\WINDOWS\system32\logalaja.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

How is the computer running now?
__________________
  #9  
Old 30th Apr 2009, 20:40
New Member Group
  
The computer seems to be running fine, but here's the log:


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ext\Stats\{527196A4-B1A3-4647-931D-37BA5AF23037}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}\\ deleted successfully.
========== FILES ==========
File/Folder C:\WINDOWS\system32\logalaja.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Cory\LOCALS~1\Temp\etilqs_UkS9n0SImpTy Jp7RnHK6 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Cory\LOCALS~1\Temp\etilqs_UkS9n0SImpTy Jp7RnHK6-journal scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Cory\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_59c.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04302009_233148

Files moved on Reboot...
File C:\DOCUME~1\Cory\LOCALS~1\Temp\etilqs_UkS9n0SImpTy Jp7RnHK6 not found!
File C:\DOCUME~1\Cory\LOCALS~1\Temp\etilqs_UkS9n0SImpTy Jp7RnHK6-journal not found!
File C:\WINDOWS\temp\_avast4_\Webshlock.txt not found!
C:\WINDOWS\temp\Perflib_Perfdata_59c.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_d8.dat not found!



After I posted the last log for you, I ran both CCleaner and a virus scan on Avast! which probably accounts for why most of the files have already been delted. logalaja.exe is sitting in my security chest on avast!, for example. I probably screwed everything up on your end in doing so, but I can run another Panda ActiveScan if it helps.
  #10  
Old 1st May 2009, 10:45
Moderator Group
  
Everything looks fine now.

I have one Free SUPERAntiSpyware Professional Edition Lifetime Key to give away.

If you are interested then visit my blog here: http://evilfantasy.wordpress.com/200...-pro-giveaway/

----------

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt3 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
  • When finished exit out of OTMoveIt3


----------

Use the Secunia Software Inspector to check for out of date software.
Out of date software has security vulnerabilities that malware can exploit.
  • Click Start Now
  • Check the box next to Enable thorough system inspection.
  • Click Start
  • Allow the scan to finish and scroll down to see if any updates are needed.
  • Update anything listed.


----------

Go to Microsoft Windows Update and get all critical updates.

----------

Make sure all of your security programs are up to date and run scans with them regularly.

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
__________________
Reply

Register
Thread Tools



Arabic Bulgarian Chinese (Simplified) Chinese (Traditional) Croatian Czech Danish Dutch English Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Latvian Lithuanian Norwegian Polish Portuguese Romanian Russian Serbian Slovak Spanish Swedish Thai Turkish Ukrainian

Copyright ©2006 - 2009 Computer Juice.
Contact - Privacy - Sitemap - Top

Powered by vBulletin® Copyright ©2000 - 2009 Jelsoft Enterprises Ltd. SEO by vBSEO ©2009, Crawlability, Inc.