Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

cajung

76 Posts

10434

July 13th, 2010 09:00

TrojanDropper:Win32/Oficla.G and Trojan:HTML/Phisbank.O

This have been going on for a few months. Everyday when my virus scan runs....I get the message that "oneCare found potentially unwanted software and requires action from you. We recommend you remove software that you do npt recognize. To remove software yourself, locate the file(s) below and then delete the unwanted software. The 2 viruses are TrojanDropper:Win32/Oficla.G and Trojan:HTML/Phisbank.O. When I open the link for the first one I get this:

TrojanDropper:Win32/Oficla.G (?)

Encyclopedia entry
Updated: May 20, 2010  |  Published: Mar 18, 2010

Aliases
Win-Trojan/Oficla.82432 ( AhnLab)
  • W32/Trojan3.BRD (Authentium (Command))
  • TR/FraudPack.anmu (Avira)
  • Trojan.FakeAv.KSP (BitDefender)
  • Win32/Oficla.CI (CA)
  • Trojan.Oficla.26 (Dr.Web)
  • Win32/Oficla.EF (ESET)
  • FakeAlert-MA.gen (McAfee)
  • Trj/Sinowal.WXJ (Panda)
  • Mal/FakeAV-BW (Sophos)
  • TROJ_BREDO.JER (Trend Micro)
  • Win32/Kryptic.EFP (other)

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.85.1925.0
Released: Jul 12, 2010 		Detection initially created:
Definition: 1.77.96.0
Released: Feb 26, 2010

 

Summary

TrojanDropper:Win32/Oficla.G is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M. This Win32/Oflicla variant attempts to connect with a remote host and download a configuration data file that instructs the trojan to retrieve other malware from additional download locations.

Top

 

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    \rjuq.mpo
  • The presence of the following registry modifications:
    Sets value: " Shell"
    From data: " explorer.exe"
    To data: " explorer.exe rundll32.exe rjuq.mpo owbtiln"
    In subkey:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Top

 

Technical Information (Analysis)

TrojanDropper:Win32/Oficla.G is a detection for a trojan that installs and executes Trojan:Win32/Oficla.M. This Win32/Oflicla variant attempts to connect with a remote host and download a configuration data file that instructs the trojan to retrieve other malware from additional download locations.
Installation
TrojanDropper:Win32/Oficla.G may be distributed as an attachment to a spammed e-mail message. In the wild, we have observed this trojan distributed in .ZIP archive files as names similar to the following:
  • Resume_document_819.zip
  • My_Resume_621.zip
  • DHL_Tracking_NR.324-492383.zip
  • UPS_Invoice_Nr6991.zip
 
When run, TrojanDropper:Win32/Oficla.G drops a trojan component as the following:
 
\rjuq.mpo - Trojan:Win32/Oficla.M
 
The registry is modified to execute the dropped component at Windows start.
 
Sets value: " Shell"
From data: " explorer.exe"
To data: " explorer.exe rundll32.exe rjuq.mpo owbtiln"
In subkey:  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Payload
Downloads arbitrary files
The installed trojan Win32/Oficla.M may inject code into the running process " SVCHOST.exe" that attempts to download a script from the domain " myxmad.com".
 
At the time of this writing, the script was unavailable.
 
Analysis by Dan Kurc

Top

 

Prevention

Take the following steps to help prevent infection on your computer:
  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to Web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor Web sites.
 
You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software, such as Microsoft Security Essentials, that is updated with the latest signature files. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.
Use caution when opening attachments and accepting file transfers
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.
Use caution when clicking on links to Web pages
Exercise caution with links to Web pages that you receive from unknown sources, especially if the links are to a Web page that you are not familiar with, unsure of the destination of, or suspicious of. Malicious software may be installed in your computer simply by visiting a Web page with harmful content.
Avoid downloading pirated software
Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading "cracked" or "pirated" software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information, see ' The risks of obtaining and using pirated software'.
Protect yourself from social engineering attacks
While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a computer, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker's choice, it is known as 'social engineering'. Essentially, social engineering is an attack against the human interface of the targeted computer. For more information, see ' What is social engineering?'.
Use strong passwords
Attackers may try to gain access to your Windows account by guessing your password. It is therefore important that you use a strong password – one that cannot be easily guessed by an attacker. A strong password is one that has at least 8 characters, and combines letters, numbers, and symbols. For more information, see http://www.microsoft.com/protect/yourself/password/create.mspx.

Top

 

Recovery

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Windows Live OneCare safety scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
 
 
When I open the link for the second one I get this:
 
Trojan:HTML/Phishbank.O (?)
Encyclopedia entry
Published: May 13, 2010

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Detection last updated:
Definition: 1.81.1748.0
Released: May 14, 2010 		Detection initially created:
Definition: 1.81.1685.0
Released: May 14, 2010


 

Summary

This threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat.
 
 
 
 
I've looked at this many times but can not figure out how to remove these. Does anyone have any ideas? Your help would be greatly appreciated. Thanks

kevinf80_1d0ac6

1.1K Posts

July 13th, 2010 11:00

Hi cajung,

I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.

As per the stickie at the head of the Forum please post a HJT log and we`ll take it from there, without this initial log we cannot progress:

user posted image Click here to download HJTInstaller Version 2.0.4
  • Save HJTInstaller to your desktop.
  • Doubleclick on the HJTInstall.exe icon on your desktop.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


Kevin

cajung

76 Posts

July 29th, 2010 08:00

I really have tried searching for the above malware in my computer (so I can some how remove it) but I can't find it anywhere. Is there something that I can buy to clean this all up? Does this have to be cleaned up manually? Please, if you have a little time, I really need a little help with this. Thanks again, Craig

cajung

76 Posts

July 29th, 2010 08:00

bump....Please, can someone please tell me how to remove this. Thankyou

kevinf80_1d0ac6

1.1K Posts

July 29th, 2010 13:00

Hi Craig,

Follow the previous instruction I gave you and post a HJT log, when you complete that required task i`ll help you,

Kevin:emotion-21:

cajung

76 Posts

July 30th, 2010 07:00

Hi Kevin...thanks for your help. I'll download the software and do a run now. What is a HJT log? Thanks, Craig

cajung

76 Posts

July 30th, 2010 07:00

Kevin...I'm sorry to bother you. There are 2 versions of HiJack This. Which one should I download? There is a verison (new) Version 2.0.4 and a version Version 2.0.3 (Beta). Thanks, Craig

kevinf80_1d0ac6

1.1K Posts

July 30th, 2010 13:00

Hello Craig,

If you go back to my post with the instructions for HJT you`ll see that the required version is 2.0.4.

Kevin:emotion-5:

cajung

76 Posts

July 30th, 2010 16:00

Hi Kevin, I apoligize for not seeing the version on your first reply. I have to tell you that I am not very good with computers and I'm not sure that the information below is what you want. The initial directions that you gave did not look at all the way it was installed. Here's what I got:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:28:33 PM, on 7/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4070508
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [Qwest Personal Digital Vault] "C:\Program Files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe" /m
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate1c9a27ff09cd0c8) (gupdate1c9a27ff09cd0c8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11599 bytes

 

Thanks, Craig

 

kevinf80_1d0ac6

1.1K Posts

July 31st, 2010 04:00

Hi Craig,

Yep, HJT log is exactly what I needed to see. Although it does not indicate the underlying problem it does give some important information regarding your setup. Dont worry about your computer skills, if you don`t understand any of the instructions, just post back and i`ll do my best to get you through it.

Ok lets proceed as follows :-

Step 1

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to ALLOW the changes. Instructions available HERE
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from HERE and just double-click on mbam-rules.exe to install.

On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Step 2

We need to see some additional information about what is happening in your machine. 
Please perform the following scan:
  • Download DDS by sUBs from one of the following links.  Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool.   
  • When done, DDS will open two (2) logs         1. DDS.txt
             2. Attach.txt
  • Save both reports to your desktop.
  • The instructions here ask you to attach the Attach.txt.user posted image
     
  • Instead of attaching, please copy/past both logs into your next reply.
  • Close the program window, and delete the program from your desktop.

Please note:  You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet. 
Information on A/V control HERE

Step 3

Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

What i`d like to see in your reply :-


  • Log from Malwarebytes
  • Both logs from DDS
  • Log from Security Checks


Remember to read through the instructions a couple of times, or better still print them off so you can have them to hand for easy access should you need to refresh your memory.

Kevin.

cajung

76 Posts

July 31st, 2010 08:00

Hi Kevin, I really want to thank you for helping me with this. Here's the log from Malwarebytes: Thanks again

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4373

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/31/2010 8:23:55 AM
mbam-log-2010-07-31 (08-23-55).txt

Scan type: Quick scan
Objects scanned: 144053
Time elapsed: 9 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\10670004 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\craig jung\Start Menu\Programs\System Security (Rogue.SystemSecurity) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\craig jung\Favorites\Free porn videos - Sex, XXX, free pornos at You Porn.com.url (Rogue.Link) -> Quarantined and deleted successfully.

 

kevinf80_1d0ac6

1.1K Posts

July 31st, 2010 09:00

Yep, well done Craig, You got the other logs for me..

 

Kevin:emotion-5:

cajung

76 Posts

July 31st, 2010 10:00

Thanks Kevin...I'm sorry it took awhile but I got tied up with something else. Here's the one file but I do not know how to zip the other file.

DDS (Ver_10-03-17.01) - NTFSx86 
Run by craig jung at 10:27:34.64 on Sat 07/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1022.444 [GMT -6:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated)   {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Windows Live OneCare Firewall *enabled*   {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Google\Update\1.2.183.29\GoogleCrashHandler.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\craig jung\Local Settings\Temporary Internet Files\Content.IE5\Q7TQ18EI\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uDefault_Page_URL = hxxp://www.msn.com
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn3\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn3\yt.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1203.0\msneshellx.dll
TB: {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Update Service] c:\progra~1\common~1\teknum~1\update.exe /startup
uRun: [TVPlanet]
uRun: [RadioPlanet]
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [Qwest Personal Digital Vault] "c:\program files\qwest personal digital vault\QwestPersonalDigitalVault.exe" /m
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
StartupFolder: c:\docume~1\craigj~1\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-4-22 53168]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 gupdate1c9a27ff09cd0c8;Google Update Service (gupdate1c9a27ff09cd0c8);c:\program files\google\update\GoogleUpdate.exe [2009-3-11 133104]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]

=============== Created Last 30 ================

2010-07-31 14:09:53 0 d-----w- c:\docume~1\craigj~1\applic~1\Malwarebytes
2010-07-31 14:09:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-31 14:09:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-31 14:09:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-31 14:09:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-14 12:16:53 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-08 11:23:58 0 d-----w- c:\docume~1\craigj~1\applic~1\Uniblue
2010-07-04 04:51:35 0 d-----w- c:\program files\Spyware Doctor
2010-07-04 03:02:50 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-03 18:31:19 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M  ====================

2010-07-01 17:09:11 53049 ----a-w- c:\windows\system32\nvModes.dat
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-04 21:42:07 168 --sh--r- c:\windows\system32\BE155F096C.sys
2010-02-04 21:42:34 5642 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:28:14.09 ===============

cajung

76 Posts

July 31st, 2010 11:00

Hi Kevin....Ok...I think this is the last of it.

Results of screen317's Security Check version 0.99.4 
 Windows XP Service Pack 3 
 Internet Explorer 8 
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Disabled! 
 Windows Live OneCare   
 Microsoft Windows OneCare Live v2.5.2900.24 Idcrl Install
 Microsoft Windows Live OneCare Resources v2.5.2900.30
 GTOneCare     
 Microsoft Windows OneCare Live v2.5.2900.30 
 Microsoft Windows OneCare Live AntiSpyware and AntiVirus
```````````````````````````````
Anti-malware/Other Utilities Check:
 Out of date Spybot installed!
 Malwarebytes' Anti-Malware   
 Java(TM) 6 Update 20 
 Adobe Flash Player  
Adobe Reader 9.3.3
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSMpEng.exe
 Microsoft Windows OneCare Live Antivirus MsMpEng.exe 
 Microsoft Windows OneCare Live Firewall msfwsvc.exe 
````````````````````````````````
DNS Vulnerability Check:
 GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

kevinf80_1d0ac6

1.1K Posts

July 31st, 2010 11:00

Thanks Kevin...I'm sorry it took awhile but I got tied up with something else. Here's the one file but I do not know how to zip the other file.

 

Hi Craig,

Read the instructions carefully for DDS, you`ll see that it actually tells you to copy and paste both logs not zip OK.:emotion-21:

Kevin..

cajung

76 Posts

July 31st, 2010 11:00

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 6/5/2007 8:20:11 AM
System Uptime: 7/31/2010 8:29:34 AM (2 hours ago)

Motherboard: Dell Inc. |  | 0XD720
Processor: Intel(R) Core(TM) Duo CPU      T2350  @ 1.86GHz | Microprocessor | 1060/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 144 GiB total, 122.74 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP864: 5/2/2010 2:58:57 PM - System Checkpoint
RP865: 5/3/2010 11:55:17 AM - Installed Java(TM) 6 Update 20
RP866: 5/4/2010 1:11:43 PM - System Checkpoint
RP867: 5/5/2010 8:03:51 PM - System Checkpoint
RP868: 5/7/2010 8:10:35 AM - System Checkpoint
RP869: 5/9/2010 8:13:16 AM - System Checkpoint
RP870: 5/10/2010 11:59:36 AM - System Checkpoint
RP871: 5/11/2010 12:22:37 PM - System Checkpoint
RP872: 5/12/2010 6:57:14 AM - Software Distribution Service 3.0
RP873: 5/13/2010 7:23:52 AM - System Checkpoint
RP874: 5/14/2010 8:45:16 AM - System Checkpoint
RP875: 5/15/2010 11:07:21 AM - System Checkpoint
RP876: 5/16/2010 11:31:00 AM - System Checkpoint
RP877: 5/17/2010 2:38:49 PM - System Checkpoint
RP878: 5/19/2010 8:20:21 AM - System Checkpoint
RP879: 5/20/2010 8:48:26 AM - System Checkpoint
RP880: 5/21/2010 4:45:42 PM - System Checkpoint
RP881: 5/22/2010 11:52:41 PM - System Checkpoint
RP882: 5/24/2010 9:09:20 AM - System Checkpoint
RP883: 5/25/2010 9:55:32 AM - System Checkpoint
RP884: 5/25/2010 9:58:50 PM - Software Distribution Service 3.0
RP885: 5/27/2010 8:32:28 AM - System Checkpoint
RP886: 5/28/2010 1:00:34 PM - System Checkpoint
RP887: 5/29/2010 2:30:13 PM - System Checkpoint
RP888: 5/30/2010 3:16:58 PM - System Checkpoint
RP889: 5/30/2010 4:14:21 PM - Microsoft OneCare Protection Checkpoint
RP890: 5/31/2010 6:20:04 AM - Microsoft OneCare Protection Checkpoint
RP891: 6/1/2010 6:34:44 AM - Microsoft OneCare Protection Checkpoint
RP892: 6/2/2010 7:30:34 AM - Microsoft OneCare Protection Checkpoint
RP893: 6/3/2010 6:42:13 AM - Microsoft OneCare Protection Checkpoint
RP894: 6/4/2010 2:55:27 AM - Microsoft OneCare Protection Checkpoint
RP895: 6/4/2010 7:00:16 AM - Software Distribution Service 3.0
RP896: 6/5/2010 7:31:57 AM - Microsoft OneCare Protection Checkpoint
RP897: 6/6/2010 7:23:05 AM - Microsoft OneCare Protection Checkpoint
RP898: 6/7/2010 5:57:59 AM - Microsoft OneCare Protection Checkpoint
RP899: 6/8/2010 6:39:12 AM - Microsoft OneCare Protection Checkpoint
RP900: 6/9/2010 6:20:23 AM - Microsoft OneCare Protection Checkpoint
RP901: 6/10/2010 6:03:34 AM - Microsoft OneCare Protection Checkpoint
RP902: 6/10/2010 12:56:09 PM - Restore Operation
RP903: 6/10/2010 1:15:01 PM - Installed Java(TM) 6 Update 20
RP904: 6/10/2010 1:57:29 PM - Restore Operation
RP905: 6/11/2010 4:56:34 AM - Microsoft OneCare Protection Checkpoint
RP906: 6/11/2010 6:02:29 PM - Software Distribution Service 3.0
RP907: 6/11/2010 6:23:20 PM - Software Distribution Service 3.0
RP908: 6/12/2010 7:08:10 AM - Microsoft OneCare Protection Checkpoint
RP909: 6/12/2010 11:07:25 PM - Microsoft OneCare Protection Checkpoint
RP910: 6/14/2010 6:20:24 AM - Microsoft OneCare Protection Checkpoint
RP911: 6/15/2010 6:17:14 AM - Microsoft OneCare Protection Checkpoint
RP912: 6/16/2010 7:05:07 AM - Microsoft OneCare Protection Checkpoint
RP913: 6/17/2010 7:39:58 AM - Microsoft OneCare Protection Checkpoint
RP914: 6/18/2010 5:50:39 AM - Microsoft OneCare Protection Checkpoint
RP915: 6/19/2010 5:45:26 AM - Microsoft OneCare Protection Checkpoint
RP916: 6/20/2010 6:53:46 AM - Microsoft OneCare Protection Checkpoint
RP917: 6/21/2010 2:24:27 AM - Microsoft OneCare Protection Checkpoint
RP918: 6/21/2010 11:07:00 PM - Microsoft OneCare Protection Checkpoint
RP919: 6/22/2010 11:06:33 PM - Software Distribution Service 3.0
RP920: 6/23/2010 11:06:36 PM - Microsoft OneCare Protection Checkpoint
RP921: 6/25/2010 7:05:04 AM - Microsoft OneCare Protection Checkpoint
RP922: 6/26/2010 6:25:51 AM - Microsoft OneCare Protection Checkpoint
RP923: 6/27/2010 12:27:04 AM - Microsoft OneCare Protection Checkpoint
RP924: 6/27/2010 4:27:38 PM - Microsoft OneCare Protection Checkpoint
RP925: 6/28/2010 6:47:47 AM - Microsoft OneCare Protection Checkpoint
RP926: 6/29/2010 11:44:21 AM - System Checkpoint
RP927: 6/30/2010 6:42:52 AM - Microsoft OneCare Protection Checkpoint
RP928: 7/1/2010 1:56:49 AM - Microsoft OneCare Protection Checkpoint
RP929: 7/2/2010 7:36:30 AM - Microsoft OneCare Protection Checkpoint
RP930: 7/3/2010 7:15:12 AM - Microsoft OneCare Protection Checkpoint
RP931: 7/3/2010 2:10:44 PM - Software Distribution Service 3.0
RP932: 7/3/2010 7:59:03 PM - Restore Operation
RP933: 7/3/2010 11:11:42 PM - Microsoft OneCare Protection Checkpoint
RP934: 7/3/2010 11:26:29 PM - Spyware Doctor: Cleaning Threats
RP935: 7/3/2010 11:34:39 PM - Restore Operation
RP936: 7/4/2010 10:18:51 AM - Software Distribution Service 3.0
RP937: 7/4/2010 12:05:53 PM - Microsoft OneCare Protection Checkpoint
RP938: 7/5/2010 6:45:53 AM - Microsoft OneCare Protection Checkpoint
RP939: 7/6/2010 6:51:13 AM - Microsoft OneCare Protection Checkpoint
RP940: 7/7/2010 6:51:39 AM - Microsoft OneCare Protection Checkpoint
RP941: 7/8/2010 4:26:29 AM - Microsoft OneCare Protection Checkpoint
RP942: 7/9/2010 6:18:23 AM - Microsoft OneCare Protection Checkpoint
RP943: 7/10/2010 7:01:03 AM - System Checkpoint
RP944: 7/10/2010 7:03:30 AM - Microsoft OneCare Protection Checkpoint
RP945: 7/11/2010 9:49:27 AM - System Checkpoint
RP946: 7/12/2010 6:52:42 AM - Microsoft OneCare Protection Checkpoint
RP947: 7/13/2010 6:56:33 AM - Microsoft OneCare Protection Checkpoint
RP948: 7/14/2010 6:29:39 AM - Microsoft OneCare Protection Checkpoint
RP949: 7/14/2010 7:00:17 AM - Software Distribution Service 3.0
RP950: 7/14/2010 11:07:35 PM - Microsoft OneCare Protection Checkpoint
RP951: 7/16/2010 6:39:20 AM - Microsoft OneCare Protection Checkpoint
RP952: 7/17/2010 6:24:48 AM - Microsoft OneCare Protection Checkpoint
RP953: 7/17/2010 11:14:03 PM - Microsoft OneCare Protection Checkpoint
RP954: 7/19/2010 7:04:57 AM - Microsoft OneCare Protection Checkpoint
RP955: 7/19/2010 11:07:19 PM - Microsoft OneCare Protection Checkpoint
RP956: 7/21/2010 4:29:02 AM - Microsoft OneCare Protection Checkpoint
RP957: 7/22/2010 7:42:56 AM - Microsoft OneCare Protection Checkpoint
RP958: 7/23/2010 6:25:22 AM - Microsoft OneCare Protection Checkpoint
RP959: 7/24/2010 6:29:37 AM - Microsoft OneCare Protection Checkpoint
RP960: 7/25/2010 5:24:50 AM - Microsoft OneCare Protection Checkpoint
RP961: 7/26/2010 6:34:03 AM - Microsoft OneCare Protection Checkpoint
RP962: 7/27/2010 6:49:39 AM - Microsoft OneCare Protection Checkpoint
RP963: 7/28/2010 6:22:40 AM - Microsoft OneCare Protection Checkpoint
RP964: 7/29/2010 6:07:43 AM - Microsoft OneCare Protection Checkpoint
RP965: 7/30/2010 6:15:02 AM - Microsoft OneCare Protection Checkpoint
RP966: 7/30/2010 4:06:58 PM - Installed HiJackThis
RP967: 7/30/2010 4:11:38 PM - Removed HiJackThis
RP968: 7/30/2010 4:12:57 PM - Installed HiJackThis
RP969: 7/30/2010 4:14:58 PM - Removed HiJackThis
RP970: 7/30/2010 4:17:40 PM - Installed HiJackThis
RP971: 7/30/2010 4:20:56 PM - Removed HiJackThis
RP972: 7/30/2010 4:24:08 PM - Installed HiJackThis
RP973: 7/30/2010 4:34:09 PM - Removed HiJackThis
RP974: 7/31/2010 6:04:07 AM - Microsoft OneCare Protection Checkpoint

==== Installed Programs ======================

Acrobat.com
Actiontec Gateway
Adobe Acrobat 4.0
Adobe Acrobat 5.0
Adobe ActiveShare 1.3.1
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe PhotoDeluxe Home Edition 4.0
Adobe Reader 9.3.3
ArcSoft VideoImpression 1.6FP
Broadcom Management Programs
CA Yahoo! Anti-Spy (remove only)
Canon MP Navigator EX 1.0
Canon MP470 series
Canon MP470 series User Registration
Canon My Printer
Canon PhotoRecord
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint EX
Canon Utilities PhotoStitch 3.1
Canon Utilities Solution Menu
Canon Utilities ZoomBrowser EX
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro Photo XI
Corel Snapfire Plus
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
Dell Support 3.2.1
Dell System Restore
Dell Wireless WLAN Card
Digital Line Detect
Digital TV for PC 2.0
DING!
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
FUJIFILM USB Driver
getPlus(R)_ocx
Google Earth
Google Update Helper
Google Updater
GTOneCare
HandyBits File Shredder
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Image Resizer Powertoy for Windows XP
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 20
LS_HSI
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Protection Service
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Live OneCare Resources v2.5.2900.30
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v2.5.2900.24 Idcrl Install
Microsoft Windows OneCare Live v2.5.2900.30
Microsoft Works
Modem Helper
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero Suite
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
PIXMA Extended Survey Program
PX Engine
QuickConnect
QuickSet
QuickTime
Qwest Personal Digital Vault™
Qwest QuickAssist Desktop Tools
Qwest Quickcare 2.5
RealPlayer
RealUpgrade 1.0
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
ScanSoft OmniPage SE 4
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
URL Assistant
USB Storage Driver
WebCyberCoach 3.2 Dell
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

7/31/2010 8:30:08 AM, error: sr [1]  - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'.  It has stopped monitoring the volume.
7/31/2010 6:05:40 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {316E87D0-55CC-4D4A-ABAA-8D94D316EE3A}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/31/2010 6:05:40 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Waledac.C&threatid=2147627823  Scan ID: {316E87D0-55CC-4D4A-ABAA-8D94D316EE3A}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDownloader:Win32/Waledac.C  ID: 2147627823  Severity: Severe  Category: Trojan Downloader  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.5007: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.5007: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4637: notification@ssa.gov - Review your annual Social Security statement)->(part0001:statement.zip)->statement.exe;file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{D  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/31/2010 6:05:40 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {316E87D0-55CC-4D4A-ABAA-8D94D316EE3A}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/30/2010 6:16:26 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {F52AD1A8-1E0C-4CF4-A4CA-CFF35B608C98}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/30/2010 6:16:26 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Waledac.C&threatid=2147627823  Scan ID: {F52AD1A8-1E0C-4CF4-A4CA-CFF35B608C98}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDownloader:Win32/Waledac.C  ID: 2147627823  Severity: Severe  Category: Trojan Downloader  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4923: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4923: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4364: majurozd9@royalgifts.com - Expiring order)->(part0002:Forwarded Message.zip)->Forwarded Message.exe;file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/30/2010 6:16:26 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {F52AD1A8-1E0C-4CF4-A4CA-CFF35B608C98}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/30/2010 4:11:46 PM, error: Service Control Manager [7023]  - The Application Management service terminated with the following error:  The specified module could not be found.
7/30/2010 3:27:45 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  TfFsMon TfSysMon
7/29/2010 6:08:52 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {6A0C6254-E817-467D-AEB0-5614FD5D851A}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/29/2010 6:08:52 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Waledac.C&threatid=2147627823  Scan ID: {6A0C6254-E817-467D-AEB0-5614FD5D851A}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDownloader:Win32/Waledac.C  ID: 2147627823  Severity: Severe  Category: Trojan Downloader  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4833: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4833: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4361: majurozd9@royalgifts.com - Expiring order)->(part0002:Forwarded Message.zip)->Forwarded Message.exe;file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/29/2010 6:08:52 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {6A0C6254-E817-467D-AEB0-5614FD5D851A}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/28/2010 6:24:30 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {64EA3DED-967E-4678-B9DC-1EC10E5D0ED2}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/28/2010 6:24:30 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDownloader:Win32/Waledac.C&threatid=2147627823  Scan ID: {64EA3DED-967E-4678-B9DC-1EC10E5D0ED2}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDownloader:Win32/Waledac.C  ID: 2147627823  Severity: Severe  Category: Trojan Downloader  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4758: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4758: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4358: majurozd9@royalgifts.com - Expiring order)->(part0002:Forwarded Message.zip)->Forwarded Message.exe;file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/28/2010 6:24:30 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {64EA3DED-967E-4678-B9DC-1EC10E5D0ED2}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/27/2010 6:50:33 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {8D8DDDB6-63B3-4C6D-8B05-96F8FA157993}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4661: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4661: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.347: cliok58@redbolivia.com - Open an account)->(part0001:Contract_01_05_2010.zip)->Contract_01_05_2010_____________________DOC.exe  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/27/2010 6:50:33 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {8D8DDDB6-63B3-4C6D-8B05-96F8FA157993}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/26/2010 6:35:04 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {B0FC5FA2-3A60-449B-A585-FACE9DAD6990}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4575: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4575: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.344: cliok58@redbolivia.com - Open an account)->(part0001:Contract_01_05_2010.zip)->Contract_01_05_2010_____________________DOC.exe  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/26/2010 6:35:04 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {B0FC5FA2-3A60-449B-A585-FACE9DAD6990}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/25/2010 5:25:40 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {DDA1CB2B-67E9-427E-A8DE-F48CC773AA49}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4509: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4509: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.341: cliok58@redbolivia.com - Open an account)->(part0001:Contract_01_05_2010.zip)->Contract_01_05_2010_____________________DOC.exe  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/25/2010 5:25:40 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {DDA1CB2B-67E9-427E-A8DE-F48CC773AA49}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/24/2010 6:30:25 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Oficla.G&threatid=2147631779  Scan ID: {79B397EF-03FA-4830-ABFE-B1B68F6A9C8C}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: TrojanDropper:Win32/Oficla.G  ID: 2147631779  Severity: Severe  Category: Trojan Dropper  Path: file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4453: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(JSNORM)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.4453: child@irs.gov - Child Benefit N. #IRS.1924819AG/2010)->(part0002:child.1924881.PDF.htm)->(SCRIPT0001)->(EmbeddedCode)->(SCRIPT0001);file:\\?\C:\Documents and Settings\craig jung\Local Settings\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\Microsoft\Outlook Express\Deleted Items.dbx->(Message.339: cliok58@redbolivia.com - Open an account)->(part0001:Contract_01_05_2010.zip)->Contract_01_05_2010_____________________DOC.exe  Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.
7/24/2010 6:30:25 AM, error: OneCareMP [1008]  - Windows OneCare Live has encountered an error when taking action on spyware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:HTML/Phishbank.O&threatid=2147633296  Scan ID: {79B397EF-03FA-4830-ABFE-B1B68F6A9C8C}    Scan Type: AntiMalware  User: NT AUTHORITY\SYSTEM  Name: Trojan:HTML/Phishbank.O  ID: 2147633296  Severity: Severe  Category: Trojan  Path:   Action: Remove  Error Code: 0x80508028  Error description: An unexpected problem occurred. Install any available updates, and then try to start the program again. For information on installing updates, see Help and Support.

==== End Of File ===========================

View More

View All

No Events found!

Top