Possible Virus nightmare:

**Bubba** · #31 31st Oct 2008, 16:22

Should I try to get the Spybot to work yet? I'm running the MBAM now, 0 on the quick 14 so far on the full BTW

EDIT 2: Just damn I'm jealous of you. i can't wait til I start my training and can do what you do to help others.

**evilfantasy** · #32 31st Oct 2008, 16:25

I wouldn't worry about Spybot yet.

**Bubba** · #33 31st Oct 2008, 16:29

Do you need the null log from the MBAM quick scan? i'm about to do the RSIT (hope I remembered that correctly), and don't want to post too much junk if you don't need the null log.

**evilfantasy** · #34 31st Oct 2008, 16:35

Just the log where problems were found will be fine.

**Bubba** · #35 31st Oct 2008, 16:38

I have the RSIT log first since I had it copied last (if that makes sense) the I didn't see two options, I just copied everything it gave me.

RSIT:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Linda at 2008-10-31 19:32:45
Microsoft Windows XP Professional Service Pack 3
System drive C: has 10 GB (52%) free of 19 GB
Total RAM: 382 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:50 PM, on 10/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Linda\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Linda.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135708934161
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe

--
End of file - 5744 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
Ask Search Assistant BHO - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL [2008-01-02 66912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-12-18 59032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll [2008-06-23 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll [2008-06-23 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe [2005-10-19 155648]
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe [2005-10-19 126976]
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe [2006-01-06 188416]
"HPHmon04"=C:\WINDOWS\system32\hphmon04.exe [2006-01-06 348160]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe [2005-06-06 57344]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-02-19 267048]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2007-08-30 4670704]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-06-27 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2005-10-19 348160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\svcWRSSSDK]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Disabled:Bonjour"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\LaunchU3.exe -a

======List of files/folders created in the last 1 months======

2008-10-31 19:32:45 ----D---- C:\rsit
2008-10-31 18:53:50 ----D---- C:\Documents and Settings\Linda\Application Data\Malwarebytes
2008-10-31 18:53:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-31 18:53:44 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-31 14:12:17 ----SHD---- C:\RECYCLER
2008-10-31 13:57:27 ----D---- C:\WINDOWS\temp
2008-10-31 13:57:25 ----A---- C:\ComboFix.txt
2008-10-31 13:43:54 ----A---- C:\Boot.bak
2008-10-31 13:43:46 ----RASHD---- C:\cmdcons
2008-10-31 13:41:54 ----D---- C:\WINDOWS\ERDNT
2008-10-31 13:33:45 ----A---- C:\WINDOWS\system32\javaws.exe
2008-10-31 13:33:45 ----A---- C:\WINDOWS\system32\javaw.exe
2008-10-31 13:33:45 ----A---- C:\WINDOWS\system32\java.exe
2008-10-24 19:38:20 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-10-24 19:38:13 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$
2008-10-24 19:38:07 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-10-24 19:37:27 ----HDC---- C:\WINDOWS\$NtUninstallKB951978$
2008-10-24 19:37:19 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-10-24 19:37:10 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-10-24 19:35:59 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-10-24 19:20:10 ----D---- C:\WINDOWS\Prefetch
2008-10-24 16:48:16 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-10-24 16:48:09 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-10-24 16:48:02 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-10-24 16:47:54 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-10-24 16:47:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-10-24 16:47:40 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-10-24 16:47:31 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-10-24 16:47:24 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-10-24 16:47:17 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-10-24 16:47:08 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-10-24 16:47:01 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-10-24 16:30:32 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-10-24 15:27:17 ----D---- C:\Documents and Settings\Linda\Application Data\Mozilla
2008-10-24 15:27:07 ----D---- C:\Program Files\Mozilla Firefox
2008-10-24 13:24:42 ----A---- C:\WINDOWS\system32\ksuser.dll
2008-10-24 13:24:32 ----D---- C:\Program Files\Analog Devices
2008-10-24 13:24:32 ----A---- C:\WINDOWS\system32\DSndUp.exe
2008-10-24 13:24:32 ----A---- C:\WINDOWS\system32\CleanUp.exe
2008-10-24 13:24:32 ----A---- C:\WINDOWS\system32\a3d.dll
2008-10-24 13:19:21 ----A---- C:\WINDOWS\system32\DellSys.dll
2008-10-24 13:19:09 ----D---- C:\Program Files\Dell
2008-10-24 12:47:49 ----D---- C:\WINDOWS\system32\NtmsData
2008-10-24 12:24:10 ----D---- C:\drvrtmp
2008-10-04 23:28:39 ----D---- C:\Program Files\Trend Micro

======List of files/folders modified in the last 1 months======

2008-10-31 19:27:04 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-10-31 18:53:47 ----D---- C:\WINDOWS\system32\drivers
2008-10-31 18:53:44 ----RD---- C:\Program Files
2008-10-31 18:08:34 ----D---- C:\WINDOWS\system32\CatRoot2
2008-10-31 18:03:09 ----D---- C:\WINDOWS
2008-10-31 18:03:03 ----D---- C:\WINDOWS\system32
2008-10-31 18:02:57 ----SHD---- C:\System Volume Information
2008-10-31 18:02:57 ----D---- C:\WINDOWS\system32\Restore
2008-10-31 13:50:59 ----A---- C:\WINDOWS\system.ini
2008-10-31 13:49:50 ----D---- C:\WINDOWS\system32\config
2008-10-31 13:48:49 ----D---- C:\Program Files\Common Files
2008-10-31 13:48:48 ----D---- C:\WINDOWS\AppPatch
2008-10-31 13:43:54 ----RASH---- C:\boot.ini
2008-10-31 13:33:55 ----SHD---- C:\WINDOWS\Installer
2008-10-31 13:33:45 ----D---- C:\Program Files\Java
2008-10-31 13:26:11 ----HD---- C:\WINDOWS\inf
2008-10-24 19:38:22 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-10-24 19:38:19 ----HD---- C:\WINDOWS\$hf_mig$
2008-10-24 19:38:16 ----A---- C:\WINDOWS\imsins.BAK
2008-10-24 19:37:56 ----D---- C:\Program Files\Internet Explorer
2008-10-24 19:23:16 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-24 19:22:00 ----A---- C:\WINDOWS\OEWABLog.txt
2008-10-24 16:49:42 ----D---- C:\WINDOWS\system32\Setup
2008-10-24 16:49:42 ----D---- C:\Program Files\Messenger
2008-10-24 16:49:41 ----RSD---- C:\WINDOWS\Fonts
2008-10-24 16:49:41 ----D---- C:\WINDOWS\system32\wbem
2008-10-24 16:48:18 ----D---- C:\WINDOWS\system32\CatRoot
2008-10-24 16:46:42 ----D---- C:\WINDOWS\security
2008-10-24 16:42:46 ----A---- C:\WINDOWS\setuplog.txt
2008-10-24 16:42:08 ----D---- C:\WINDOWS\WinSxS
2008-10-24 16:42:03 ----D---- C:\WINDOWS\ServicePackFiles
2008-10-24 16:41:51 ----D---- C:\WINDOWS\system32\inetsrv
2008-10-24 16:41:51 ----D---- C:\WINDOWS\network diagnostic
2008-10-24 16:41:51 ----D---- C:\WINDOWS\ime
2008-10-24 16:41:50 ----D---- C:\WINDOWS\Help
2008-10-24 16:41:37 ----D---- C:\WINDOWS\system32\usmt
2008-10-24 16:41:37 ----D---- C:\WINDOWS\system32\en-US
2008-10-24 16:41:36 ----D---- C:\WINDOWS\system32\scripting
2008-10-24 16:41:34 ----D---- C:\WINDOWS\l2schemas
2008-10-24 16:41:33 ----D---- C:\WINDOWS\system32\en
2008-10-24 16:41:32 ----D---- C:\WINDOWS\system32\bits
2008-10-24 16:41:32 ----D---- C:\WINDOWS\peernet
2008-10-24 16:41:32 ----D---- C:\Program Files\Movie Maker
2008-10-24 16:38:48 ----D---- C:\WINDOWS\system32\npp
2008-10-24 16:38:48 ----D---- C:\WINDOWS\mui
2008-10-24 16:38:48 ----D---- C:\WINDOWS\msagent
2008-10-24 16:38:47 ----D---- C:\WINDOWS\srchasst
2008-10-24 16:38:46 ----D---- C:\Program Files\NetMeeting
2008-10-24 16:38:45 ----D---- C:\WINDOWS\system32\Com
2008-10-24 16:38:43 ----D---- C:\Program Files\Windows Media Player
2008-10-24 16:38:42 ----D---- C:\Program Files\Windows NT
2008-10-24 16:38:42 ----D---- C:\Program Files\Outlook Express
2008-10-24 16:38:38 ----D---- C:\Program Files\Common Files\System
2008-10-24 16:38:22 ----D---- C:\WINDOWS\system32\oobe
2008-10-24 16:38:21 ----D---- C:\WINDOWS\system
2008-10-24 16:35:41 ----D---- C:\WINDOWS\system32\ReinstallBackups
2008-10-24 16:30:28 ----D---- C:\WINDOWS\EHome
2008-10-24 13:24:32 ----HD---- C:\Program Files\InstallShield Installation Information
2008-10-15 12:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll
2008-10-07 15:19:40 ----A---- C:\WINDOWS\system32\MRT.exe
2008-10-04 22:24:45 ----D---- C:\Program Files\Bonjour
2008-10-04 22:22:29 ----D---- C:\temp
2008-10-04 15:35:19 ----SD---- C:\WINDOWS\Tasks
2008-10-03 13:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\system32\DRIVERS\omci.sys [2002-10-15 17153]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2008-06-20 225856]
R2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys [2008-04-13 88320]
R2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\system32\DRIVERS\nwlnknb.sys [2002-09-03 63232]
R2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys [2002-09-03 55936]
R3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter; C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 20160]
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2006-09-19 15664]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-10-19 807998]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2002-12-19 539008]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2008-04-13 12288]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 Dot4 HPH11;Dot4 HPH11; C:\WINDOWS\system32\DRIVERS\hphid411.sys [2006-01-06 50896]
S3 Dot4Print HPH11;Print Class Driver for IEEE-1284.4 HPH11; C:\WINDOWS\system32\DRIVERS\hphipr11.sys [2006-01-06 16112]
S3 Dot4Usb HPH11;Dot4Usb HPH11; C:\WINDOWS\System32\drivers\hphius11.sys [2006-01-06 18928]
S3 E1000;Intel(R) PRO/1000 Adapter Driver; C:\WINDOWS\System32\DRIVERS\e1000325.sys [2002-11-12 99840]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem; C:\WINDOWS\system32\DRIVERS\usb8023.sys [2008-04-13 12800]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-02-18 110592]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 NwSapAgent;SAP Agent; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-02-19 504104]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-23 138168]
S3 Pml Driver HPH11;Pml Driver HPH11; C:\WINDOWS\system32\HPHipm11.exe [2006-01-06 77824]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]

-----------------EOF-----------------

MBAM complete scan:

Malwarebytes' Anti-Malware 1.30
Database version: 1348
Windows 5.1.2600 Service Pack 3

10/31/2008 7:25:31 PM
mbam-log-2008-10-31 (19-25-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 78355
Time elapsed: 22 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.

**evilfantasy** · #36 31st Oct 2008, 17:33

Do you use the AskSBar? If not go to add/remove programs and uninstall everything with Ask in the name.

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

Click on SCAN NOW
Click Accept.
The program will then begin downloading the latest definition files.
Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop.
In the File name area use KScan, or something similar.
In Save as type: click the drop arrow and select: Text file [*.txt]
Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

**Bubba** · #37 31st Oct 2008, 18:00

I don't use ask, it's not my computer ,and she (the computer we are fixing) is using XP. Does that change anything or do I just uninstall all the ask crap, download the Kaspersky and run it as prompted?

I told her I was going to slash and burn whatever you told me to slash and burn so she can find something other than ask.

EDIT: When I tried to uninstall ask (toolbar), I got <ask path> The specified module could not be found

**evilfantasy** · #38 31st Oct 2008, 18:10

I just noticed something. NO antivirus?

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:services

:reg

:files
C:\Program Files\AskSBar

:Commands
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

----------

Might as well go ahead and update Java now.

Download and install the newest version of the Java Runtime Environment

Next:

Download JavaRa

Unzip the file and open the JavaRa.exe
Click Remove Older Versions
JavaRa will search for and remove any outdated version of Java and remove any that are found.
Click Additional Tasks
Place a check next to Remove Useless JRE Files and click Go
Exit JavaRa
Delete the JavaRa files from the Desktop

----------

Run Kaspersky.

**Bubba** · #39 31st Oct 2008, 18:26

To clarify: I did NOT run the Kaspersky. I ran HJT, did the system scan only and deleted the 2 lines you said. I am about to download the OTMOVEIT3 and do what you said there. I just want to make sure I didn't skip a step by not doing the Kaspersky before I run the moveit. I have already downloaded the Kaspersky on that machine. Run it or wait til I do the Kas?

EDIT: Crap I think of things too late. I'm doing everything on her computer using Firefox if that makes any difference, but I think she will continue using IE.

**evilfantasy** · #40 31st Oct 2008, 18:34

OTMOVEIT3
Update Java
Kaspersky

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
ATI Radeon 9250 nightmare	gregncarletta	Graphics Cards & Monitors	1	5th Jun 2009 17:12
Virus Question - Can anyone tell me if i may have a virus	billozz	Virus, Spyware & Security	1	2nd Apr 2009 13:58
Please help me with this virus!!!	Plateel	Virus, Spyware & Security	10	6th Jan 2009 15:51
My friends MAC has a virus...umm...yeah...a Virus...	cheesepuff	Virus, Spyware & Security	3	29th Oct 2008 12:58
Ugh, building a pc is a nightmare. Advice please.	Count Jackula	General Hardware Chat	11	27th Dec 2007 11:59