Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
General Security
Go to first new post Security -Expert installed multiple remo ...
Go to first new post Solved: not sure?about site
Go to first new post Computer security, may have been hacked ...
Go to first new post Account Maintenance/Upgrade
Tag Cloud
access acer asus bios bsod computer crash desktop dns driver drivers error ethernet excel freeze gaming graphics hard drive hardware hdmi internet laptop malware memory monitor motherboard network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > General Security >
Looking for advice

Page 3 of 6 12 3 456
Reply  
Thread Tools
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
13-Jan-2008, 01:50 AM #31
Yes, at least get the new scan done and logs posted...I will then post the next step, which doesn't take too long. Usually about 15 minutes after you have the directions and the small file downloaded, the new tool takes that long in most situations.

Then, you post a log from that scan....and I check that...etc.

The entire fix might run hours, so I don't expect you to stay that long, we can pick it up tomorrow, but at least you should run this next part, using a new tool that I will post.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Register for free to hide this ad!
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 03:06 AM #32
New Hjt Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:35 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {27189456-efe9-6f38-5564-a5d547c9298e} - {e8929c74-5d5a-4655-83f6-9efe65498172} - C:\WINDOWS\system32\sqlmfvwd.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [a8ee4813] rundll32.exe "C:\WINDOWS\system32\idbwxnut.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564...p/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 9080 bytes


the super a/s should be posted within the next 5 min
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 03:07 AM #33
SAS scan 1 of 3
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 02:36 AM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Quick Scan
Total Scan Time : 00:37:49

Memory items scanned : 498
Memory threats detected : 0
Registry items scanned : 731
Registry threats detected : 26
File items scanned : 52060
File threats detected : 21

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet003\Services\oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*Newly Created*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#Active Service
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@www.zanox-affiliate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hornymatches[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bestsellerantivirus[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.zanox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@valuesloo.8.clickshield[1].txt
C:\Documents and Settings\Owner\Cookies\owner@systemerrorfixer[2].txt
C:\Documents and Settings\Owner\Cookies\owner@secure.systemerrorfixer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.popundersupply[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statsgod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.ticketsnow2[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 03:07 AM #34
sas scan 2 of 3
Memory items scanned : 520
Memory threats detected : 0
Registry items scanned : 6517
Registry threats detected : 25
File items scanned : 28404
File threats detected : 25

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#*Newly Created*
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#Active Service
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@www.zanox-affiliate[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hornymatches[2].txt
C:\Documents and Settings\Owner\Cookies\owner@bestsellerantivirus[1].txt
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.zanox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@valuesloo.8.clickshield[1].txt
C:\Documents and Settings\Owner\Cookies\owner@systemerrorfixer[2].txt
C:\Documents and Settings\Owner\Cookies\owner@secure.systemerrorfixer[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[1].txt
C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@www.popundersupply[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.realtechnetwork[1].txt
C:\Documents and Settings\Owner\Cookies\owner@statsgod[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@precisionclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@www.ticketsnow2[2].txt
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002042.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002043.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002044.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP7\A0002045.DLL
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 03:08 AM #35
Latest scan
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 11:00 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 02:17:12

Memory items scanned : 516
Memory threats detected : 0
Registry items scanned : 6615
Registry threats detected : 0
File items scanned : 144826
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.bridgetrack[1].txt

Unclassified.Oreans32
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP11\A0006042.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP11\A0008019.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{19A6BFB3-6883-4B37-9088-B77B5C0438D8}\RP8\A0005120.SYS
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
13-Jan-2008, 03:14 AM #36
Hi, Thank you!

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  3. Double click on combofix.exe & follow the prompts.
  4. When finished, it will produce a report for you.
  5. Please post the "C:\ComboFix.txt" in your next reply..
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 03:41 AM #37
combo fix
ComboFix 08-01-13.1 - Owner 2008-01-12 23:28:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.216 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\acwuncof.ini
C:\WINDOWS\system32\aghtaweq.ini
C:\WINDOWS\system32\bduydtwv.ini
C:\WINDOWS\system32\blgobvwj.ini
C:\WINDOWS\system32\bqogyroh.ini
C:\WINDOWS\system32\deposit.dll
C:\WINDOWS\system32\ejrxbvyo.ini
C:\WINDOWS\system32\fjmacbjf.ini
C:\WINDOWS\system32\gjtibopy.ini
C:\WINDOWS\system32\gpbdjuwi.ini
C:\WINDOWS\system32\gqrpadxt.ini
C:\WINDOWS\system32\hnarlrjp.ini
C:\WINDOWS\system32\ikgaqtui.ini
C:\WINDOWS\system32\kengggei.ini
C:\WINDOWS\system32\koxwgixt.ini
C:\WINDOWS\system32\kyauvocu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nffjuppv.ini
C:\WINDOWS\system32\nrsrttjq.ini
C:\WINDOWS\system32\qfrxnrtd.ini
C:\WINDOWS\system32\qutemcap.ini
C:\WINDOWS\system32\rfajlrhm.ini
C:\WINDOWS\system32\rpoetsxa.ini
C:\WINDOWS\system32\sgejybuw.ini
C:\WINDOWS\system32\smsohsjc.ini
C:\WINDOWS\system32\sqqcpqup.ini
C:\WINDOWS\system32\tpisfvnb.ini
C:\WINDOWS\system32\tunxwbdi.ini
C:\WINDOWS\system32\uelfwcxm.ini
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vgthruqu.ini
C:\WINDOWS\system32\vkstjgue.ini
C:\WINDOWS\system32\wraudqqd.ini
C:\WINDOWS\system32\xwqruhnf.ini
C:\WINDOWS\system32\yxfqhwpt.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 23:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 23:04 . 2008-01-12 23:04 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-12 15:29 . 2008-01-12 15:29 <DIR> d-------- C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-12 23:02 <DIR> d-------- C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-12 23:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:27 . 2008-01-12 23:37 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-10 01:27 . 2008-01-10 01:27 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-10 01:26 . 2008-01-10 01:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 <DIR> d-------- C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-10 01:09 <DIR> d-------- C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-23 00:43 . 2007-12-23 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 00:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-12 09:56 --------- d-----w C:\Program Files\Java
2008-01-10 20:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:24 --------- d-----w C:\Program Files\QuickTime
2008-01-10 09:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-07 13:00 --------- d-----w C:\Program Files\Folder Lock
2008-01-06 13:59 --------- d-----w C:\Program Files\uTorrent
2008-01-06 01:47 --------- d-----w C:\Program Files\TVUPlayer
2008-01-02 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-23 08:43 --------- d-----w C:\Program Files\Yahoo!
2007-12-21 22:10 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-17 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34 --------- d-----w C:\Program Files\Microsoft Works
2007-12-09 06:33 --------- d-----w C:\Program Files\MSBuild
2007-12-09 06:29 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-09 06:23 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 11:21 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-03 10:29 --------- d-----w C:\Program Files\Common Files\Raxco
2007-12-03 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-12-02 18:38 --------- d-----w C:\Program Files\Alex Feinman
2007-12-02 09:19 --------- d-----w C:\Program Files\MagicISO
2007-12-02 07:38 --------- d-----w C:\Program Files\MP3Gain
2007-12-02 06:56 --------- d-----w C:\Program Files\Smart Projects
2007-12-02 06:49 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-02 06:49 --------- d-----w C:\Program Files\Ahead
2007-12-02 06:31 --------- d-----w C:\Program Files\MediaMonkey
2007-12-01 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 20:10 --------- d-----w C:\Program Files\Ross Histology
2007-11-25 09:25 --------- d-----w C:\Program Files\MP3ext
2007-11-25 09:15 --------- d-----w C:\Program Files\Winamp
2007-11-25 09:15 --------- d-----w C:\Program Files\Mp3tag
2007-11-24 22:07 --------- d-----w C:\Program Files\MSN Messenger
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-02-14 05:07 784 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52 22,555,648 ----a-w C:\Program Files\setup.exe
2004-10-05 20:54 27,494 ----a-w C:\Program Files\Readme.txt
2004-09-22 17:07 25,047 ------w C:\Program Files\License.rtf
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23 1,276,928 --sha-r C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58 16,753,440 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09 548,896 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e8929c74-5d5a-4655-83f6-9efe65498172}]
C:\WINDOWS\system32\sqlmfvwd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"a8ee4813"="C:\WINDOWS\system32\idbwxnut.dll" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-12 23:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-13 07:26:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 23:37:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\catchme]
"ImagePath"="\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\catchme.sys"
.
Completion time: 2008-01-12 23:39:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-13 07:38:49
.
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
13-Jan-2008, 05:03 AM #38
Hi,

Sorry for the holdup- one file in question needs to be scanned at a site where you can scan just one file..


Make sure you have these settings done:

Quote:
Because XP will not always show you hidden files and folders by default, Go to Start > Search>Files and Folders>> and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Go here http://virusscan.jotti.org/

Use the Browse button and navigate to the file which is here:

C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS <<highlight this file by clicking once with the mouse cursor--the path then will show up in the space at the Jotti site....hit Submit button to upload the file for a very quick exam

Then, you MUST post back the results, so copy and paste them while you have them up on your screen
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
13-Jan-2008, 05:05 AM #39
Hi- Had to make a change to my reply, about hidden files etc make sure you set those settings so you can actually find that file to have scanned....
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
13-Jan-2008, 05:46 AM #40
Hi, I have more information now- the oreans32.sys driver file can be legitimately used as file protection, some games include copy protection....from Themida.... our problem is, is the service being used, to hide the definite trojans you have had....so it gets a little hard to determine what to do.

The file, oreans32.sys itself, should scan at Jotti as clean, or as a Fileprotector or " Rootkit ".... we will see later today probably.

There's a lot of conflicting ideas about how to tell just when it's bad, and when not.

It should not do any harm to remove it, and here's the scoop on how we can tell>>> Is there one of the games you play that does not start now? ((When oreans32.sys is removed))

And, after you play the game that is suspect, that file appears again...then, it probably is OK to leave alone.

It also might depend, on where you got the game from, if downloaded (be sincere now) through a filesharing P2P program, it might be being used to disguise malware, and you sure had a lot of that. Malware makers are wise to drivers that are being not detected by most antivirus programs, and use them or their processes to get the malware skipped, or so I am reading.

At this point, if everything works, and nothing else is being found except the oreans32.sys>> that is, no more Vundo etc, then you should be OK but only time will tell.

Maybe by now, you recall that yesterday, you started up one game, and that was when the SUPERAntispyware picked up all the oreans32.sys items.... just before those scans with SUPER antispyware were done--- ring any bells?


Do this next:


Open notepad and copy/paste the text in the codebox below into it:
Save this as CFScript.txt and, Save As Type: All Files (*.*)

Code:
File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\sqlmfvwd.dll
C:\WINDOWS\system32\idbwxnut.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e8929c74-5d5a-4655-83f6-9efe65498172}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a8ee4813"=-



Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Last edited by Byteman; 13-Jan-2008 at 05:53 AM..
Metaphor's Avatar
Junior Member with 1 posts.
  
Join Date: Jan 2008
Location: Georgia
Experience: Beginner
13-Jan-2008, 06:09 AM #41
About my router
Well this all started about two weeks ago when my connection just started dropping randomly or more like every 5 minutes but i play xbox live alot so i only really noticed it there but i think its my router i have all of the ports in use and also im running my laptop on wireless but when i play on xbox live i get disconnected but as weird as it is i can just connect instantly after i disconnect i dont know what the problem is its not just xbox live it affects my internet as well i cant watch movies or listen to songs or anything on my cpu so let me know if you know what might be causing it..im new here so please send it in a message.
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 07:06 AM #42
Service load:
0% 100%
File: oreans32.sys
Status:
OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: aad837bf3b475092fd515cd0842334e9
Packers detected:
-
Bit9 reports: No threat detected (more info)
Scanner results
Scan taken on 13 Jan 2008 11:00:11 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 07:16 AM #43
new combo fix
ComboFix 08-01-13.1 - Owner 2008-01-13 3:09:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.226 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\idbwxnut.dll
C:\WINDOWS\system32\sqlmfvwd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-12 23:28 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 23:04 . 2008-01-12 23:04 33,952 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2008-01-12 15:29 . 2008-01-12 15:29 <DIR> d-------- C:\Program Files\WinPcap
2008-01-12 15:27 . 2008-01-12 23:02 <DIR> d-------- C:\Program Files\WMR11
2008-01-12 01:56 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-12 01:55 . 2008-01-12 01:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-10 12:35 . 2008-01-10 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-10 12:34 . 2008-01-12 23:06 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-10 12:34 . 2008-01-10 12:34 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-01-10 01:26 . 2008-01-10 01:26 <DIR> d-------- C:\Program Files\iTunes
2008-01-10 01:26 . 2008-01-10 01:26 <DIR> d-------- C:\Program Files\iPod
2008-01-10 01:22 . 2008-01-11 03:40 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-01-10 00:22 . 2008-01-10 01:09 <DIR> d-------- C:\VundoFix Backups
2008-01-09 09:02 . 2008-01-09 09:02 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-05 19:31 . 2008-01-05 19:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-05 19:28 . 2008-01-05 19:34 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-01-01 13:35 . 2008-01-01 13:51 <DIR> d-------- C:\Program Files\mIRC
2008-01-01 13:35 . 2008-01-01 14:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-23 00:43 . 2007-12-23 00:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Yahoo!
2007-12-23 00:43 . 2007-12-23 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 00:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-01-12 09:56 --------- d-----w C:\Program Files\Java
2008-01-10 20:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-10 09:24 --------- d-----w C:\Program Files\QuickTime
2008-01-10 09:22 --------- d-----w C:\Program Files\Apple Software Update
2008-01-07 13:00 --------- d-----w C:\Program Files\Folder Lock
2008-01-06 13:59 --------- d-----w C:\Program Files\uTorrent
2008-01-06 01:47 --------- d-----w C:\Program Files\TVUPlayer
2008-01-02 03:13 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2007-12-24 02:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire
2007-12-23 08:43 --------- d-----w C:\Program Files\Yahoo!
2007-12-21 22:10 --------- d-----w C:\Program Files\Messenger Plus! Live
2007-12-17 07:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-12-13 11:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-09 06:34 --------- d-----w C:\Program Files\Microsoft Works
2007-12-09 06:33 --------- d-----w C:\Program Files\MSBuild
2007-12-09 06:29 --------- d-----w C:\Program Files\Microsoft.NET
2007-12-09 06:23 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-12-04 11:21 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-03 10:29 --------- d-----w C:\Program Files\Common Files\Raxco
2007-12-03 10:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2007-12-02 18:38 --------- d-----w C:\Program Files\Alex Feinman
2007-12-02 09:19 --------- d-----w C:\Program Files\MagicISO
2007-12-02 07:38 --------- d-----w C:\Program Files\MP3Gain
2007-12-02 06:56 --------- d-----w C:\Program Files\Smart Projects
2007-12-02 06:49 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-02 06:49 --------- d-----w C:\Program Files\Ahead
2007-12-02 06:31 --------- d-----w C:\Program Files\MediaMonkey
2007-12-01 01:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\TVU Networks
2007-11-30 09:15 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2007-11-29 20:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 20:10 --------- d-----w C:\Program Files\Ross Histology
2007-11-25 09:25 --------- d-----w C:\Program Files\MP3ext
2007-11-25 09:15 --------- d-----w C:\Program Files\Winamp
2007-11-25 09:15 --------- d-----w C:\Program Files\Mp3tag
2007-11-24 22:07 --------- d-----w C:\Program Files\MSN Messenger
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 01:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-03-28 04:23 89,052 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_27_21_21_20_small.dmp.zip
2007-03-28 04:23 22,656,498 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_27_21_20_56_full.dmp.zip
2007-03-27 05:03 22,655,457 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_25_21_15_31_full.dmp.zip
2007-03-24 20:36 22,396,790 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2007_03_22_22_47_09_full.dmp.zip
2007-03-13 21:29 93,084 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_13_14_11_54_small.dmp.zip
2007-03-09 02:07 105,147 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_18_12_33_small.dmp.zip
2007-03-07 04:53 88,047 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_03_06_20_32_00_small.dmp.zip
2007-02-26 00:41 93,830 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_24_15_05_10_small.dmp.zip
2007-02-16 19:17 89,836 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2007_02_16_11_13_47_small.dmp.zip
2007-02-14 05:07 784 ----a-w C:\Documents and Settings\Owner\Application Data\mpauth.dat
2004-10-06 08:52 22,555,648 ----a-w C:\Program Files\setup.exe
2004-10-05 20:54 27,494 ----a-w C:\Program Files\Readme.txt
2004-09-22 17:07 25,047 ------w C:\Program Files\License.rtf
2005-07-14 18:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
2007-06-13 10:23 1,276,928 --sha-r C:\WINDOWS\system32\firefoxupdateg.exe
2007-07-30 00:58 16,753,440 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-26 10:09 548,896 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-01-12_23.38.35.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 07:28:47 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 11:09:16 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 07:28:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 11:09:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 07:28:47 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-13 11:09:16 229,376 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-13 07:28:47 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 11:09:16 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 07:28:47 6,254,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 11:09:17 6,303,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 07:28:47 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 11:09:17 299,008 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 16:03 24104]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 06:49 185632]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"firefox"="firefoxupdateg.exe" [2007-06-13 02:23 1276928 C:\WINDOWS\system32\firefoxupdateg.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Post-itr Digital Notes.lnk - C:\Program Files\3M\PDNotes\PDNotes.exe [2006-03-21 13:23:30]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"Window Washer"=C:\Program Files\Webroot\Washer\wwDisp.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
"SoundMan"=SOUNDMAN.EXE
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2008-01-12 23:04]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
S3 NAL;Nal Service ;C:\WINDOWS\System32\Drivers\iqvw32.sys [2002-10-16 00:11]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-01-25 09:31]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 01:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2008-01-10 09:22:55 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-13 10:26:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 03:12:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

**************************************************************************
.
Completion time: 2008-01-13 3:14:16
ComboFix-quarantined-files.txt 2008-01-13 11:13:24
ComboFix2.txt 2008-01-13 07:39:45
.
2008-01-13 11:01:08 --- E O F ---



ps. i deleted the oreaons.32 file after i did the scan..i hope that doesnt skew the results
ryanryan007's Avatar
Member with 48 posts.
  
Join Date: Jan 2008
Experience: Beginner
13-Jan-2008, 07:17 AM #44
new HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:16:37 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\firefoxupdateg.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\3M\PDNotes\PDNotes.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [firefox] firefoxupdateg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\RunServices: [firefox] firefoxupdateg.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Post-it® Digital Notes.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14ffe564...p/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - http://upload.facebook.com/controls/...oUploader2.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://walmart.pnimedia.com/upload/a...v2.0.0.10.cab?
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 8697 bytes
Byteman's Avatar
Moderator & Malware Removal Specialist with 17,387 posts.
  
Join Date: Jan 2002
Location: NY
Experience: Junkware Jouster
13-Jan-2008, 02:12 PM #45
Hi, The latest log looks good. I want to wait before we do anything further with oreans32.sys, it's OK if you tried to delete it, as it will return usually anyhow.

See what games or software doesn't work- make a note of them.

If you've been up all night, best if you take a break.

I'm going to ask for some opionions about the file and that will take a bit of time, so check back later for my reply.

In the meantime, if you want to do anything further, do one of these online scans and post the results from it:

Housecall online scan:
http://www.trendsecure.com/portal/en...security_tools



HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report



Get some rest and check back later!
__________________
Mung (computer term), the act of making several incremental changes to an item that combine to destroy it
Donate directly to help the site TSG Library
TSG's Welcome Guide- Tips, Rules, How to use TSG and more!
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 3 of 6 12 3 456

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | General Security | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 09:11 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.