Vundo Trojan/hijacker/Conhook [Closed] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Vundo Trojan/hijacker/Conhook [Closed] pop ups, security warnings,runs slow

#1 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 10 February 2009 - 05:52 PM

Please help!

#2 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 11 February 2009 - 01:04 AM

Hello, mbowling, and welcome to GeeksToGo! Before I can help you, please do the following:

Please follow the steps in this topic, and post back with a HijackThis log and MBAM (Malware Byte's Anti-Malware) log if you are still having problems and I will look over the log for you. :)

#3 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 11 February 2009 - 08:21 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:10, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [8c9ffa2b] rundll32.exe "C:\WINDOWS\system32\waxaijua.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xrt_Shell] C:\WINDOWS\system32\config\systemprofile\xrt_hxyc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - AppInit_DLLs: drdjlu.dll
O21 - SSODL: ComSrv - {2634C132-BF37-871C-861F-007D13D55A15} - C:\Program Files\coyqhyf\ComSrv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5577 bytes





Malwarebytes' Anti-Malware 1.33
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/11/2009 9:06:07 PM
mbam-log-2009-02-11 (21-05-58).txt

Scan type: Quick Scan
Objects scanned: 245744
Time elapsed: 1 hour(s), 36 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 24
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 27

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vtUMfgGa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\uugiro.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\iiffGWml.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\etlgryxa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\drdjlu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vmkqegpm.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2c16b11e-7f53-4c07-bf6c-69b2ac428f8f} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2c16b11e-7f53-4c07-bf6c-69b2ac428f8f} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69a31256-3c81-466a-a092-e4b4b6ded7a4} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{69a31256-3c81-466a-a092-e4b4b6ded7a4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iiffgwml (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bcfd2acd-7c3d-4f1c-95d8-24aed4fc19e0} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{bcfd2acd-7c3d-4f1c-95d8-24aed4fc19e0} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{2634C132-BF37-871C-861F-007D13D55A15} (Trojan.FakeAlert.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{69a31256-3c81-466a-a092-e4b4b6ded7a4} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2c16b11e-7f53-4c07-bf6c-69b2ac428f8f} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bcfd2acd-7c3d-4f1c-95d8-24aed4fc19e0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\xjado (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c9ffa2b (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\comsrv (Trojan.FakeAlert.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\vtumfgga -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtumfgga -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drdjlu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vtUMfgGa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\aGgfMUtv.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\aGgfMUtv.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\iiffGWml.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vmkqegpm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\umaavkaq.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qakvaamu.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\waxaijua.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\aujiaxaw.ini (Trojan.Vundo.H) -> No action taken.
C:\Program Files\coyqhyf\ComSrv.dll (Trojan.FakeAlert.H) -> No action taken.
C:\WINDOWS\system32\uugiro.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\etlgryxa.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\2fn7e1x1.exe (Trojan.Adclicker) -> No action taken.
C:\WINDOWS\system32\aFNfEnXo.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\jxdtchbb.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqOEwVM.dll (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\ATMDCPC7\index[8] (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\EEAPDPWE\apstpldr.dll[1].htm (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\EEAPDPWE\upd105320[1] (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\ENKTQ507\img[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\JVHDXPXM\CAAJ0HYR (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\YPCNAPOD\ViNZq[1] (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\1rdM8Rpu.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\2fn7e1x1.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msshed32.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Matt\delself.bat (Malware.Trace) -> No action taken.

#4 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 12 February 2009 - 12:36 AM

  • Please start Malwarebytes' Anti-Malware.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. Make sure you choose to remove them. That will help clear your infection. Taking no action will leave the infection on your computer.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#5 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 12 February 2009 - 03:24 PM

Malwarebytes' Anti-Malware 1.33
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/12/2009 4:20:06 PM
mbam-log-2009-02-12 (16-20-06).txt

Scan type: Quick Scan
Objects scanned: 246408
Time elapsed: 1 hour(s), 39 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 22
Registry Values Infected: 6
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\vtUMfgGa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yjnyevfd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sqkmyv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iiffGWml.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iiffgwml (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{aef0eb2b-c34b-451c-bf56-e9e5f87c2fa7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aef0eb2b-c34b-451c-bf56-e9e5f87c2fa7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bcfd2acd-7c3d-4f1c-95d8-24aed4fc19e0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bcfd2acd-7c3d-4f1c-95d8-24aed4fc19e0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d361c85a-7cc4-46ea-8ef0-18273f7cc040} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d361c85a-7cc4-46ea-8ef0-18273f7cc040} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2634C132-BF37-871C-861F-007D13D55A15} (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bcfd2acd-7c3d-4f1c-95d8-24aed4fc19e0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\xjado (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wkey (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8c9ffa2b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\comsrv (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\xrt_patch (Backdoor.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\vtumfgga -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtumfgga -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iiffGWml.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sqkmyv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vmkqegpm.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUMfgGa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aGgfMUtv.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\aGgfMUtv.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yjnyevfd.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dfveynjy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\coyqhyf\ComSrv.dll (Trojan.FakeAlert.H) -> Delete on reboot.
C:\WINDOWS\system32\2fn7e1x1.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aFNfEnXo.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jxdtchbb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqOEwVM.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uugiro.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oudoukdr.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\EEAPDPWE\index[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\ENKTQ507\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\G7MNKXAZ\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\JVHDXPXM\CAAJ0HYR (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\YPCNAPOD\ViNZq[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\1rdM8Rpu.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2fn7e1x1.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msshed32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Matt\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.

#6 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 12 February 2009 - 03:32 PM

  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.


The log for OTListIt2 will be very long and may not fit in one post, since there is a character limit on posts. Please make sure that it didn't get cut off, and feel free to post the rest of it in a separate reply. :)

#7 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 13 February 2009 - 03:41 AM

OTListIt logfile created on: 2/12/2009 9:09:01 PM - Run
OTListIt2 by OldTimer - Version 2.0.0.11 Folder = C:\Documents and Settings\Matt\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.09 Mb Total Physical Memory | 243.20 Mb Available Physical Memory | 47.68% Memory free
1.22 Gb Paging File | 0.98 Gb Available in Paging File | 80.85% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 146.23 Gb Total Space | 55.94 Gb Free Space | 38.25% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: COMP
Current User Name: Matt
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Technology Ltd)
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
PRC - C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe ()
PRC - C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
PRC - C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe ()
PRC - C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
PRC - C:\Program Files\SpyNoMore\SNM.exe (Illysoft LLC)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\MSN Messenger\msnmsgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe (Viewpoint Corporation)
PRC - C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\system32\rundll32.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Matt\Desktop\OTScanIt2.exe ()
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Documents and Settings\Matt\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aawservice [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (Creative Service for CDROM Access [Auto | Running]) -- C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Technology Ltd)
SRV - (dlbt_device [On_Demand | Stopped]) -- C:\WINDOWS\system32\dlbtcoms.exe (Dell)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (Viewpoint Manager Service [Auto | Running]) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe (Viewpoint Corporation)
SRV - (WMDM PMSP Service [Auto | Running]) -- C:\WINDOWS\system32\MsPMSPSv.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AN983 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\an983.sys (ADMtek Incorporated.)
DRV - (BCM43XX [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (bvrp_pci [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\bvrp_pci.sys ()
DRV - (CA561 [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\SPCA561.SYS (SP)
DRV - (ctaud2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (drvmcdb [Boot | Running]) -- C:\WINDOWS\system32\drivers\drvmcdb.sys (Sonic Solutions)
DRV - (drvnddm [Auto | Running]) -- C:\WINDOWS\system32\drivers\drvnddm.sys (Sonic Solutions)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (ha10kx2k [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DP [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\drivers\mdmxsdk.sys (Conexant)
DRV - (MODEMCSA [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys (Microsoft Corporation)
DRV - (NwlnkIpx [Auto | Running]) -- C:\WINDOWS\system32\drivers\nwlnkipx.sys (Microsoft Corporation)
DRV - (NwlnkNb [Auto | Running]) -- C:\WINDOWS\system32\drivers\nwlnknb.sys (Microsoft Corporation)
DRV - (NwlnkSpx [Auto | Running]) -- C:\WINDOWS\system32\drivers\nwlnkspx.sys (Microsoft Corporation)
DRV - (OMCI [System | Running]) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (PfModNT [Auto | Running]) -- C:\WINDOWS\system32\drivers\pfmodnt.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\system32\drivers\pxhelp20.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\secdrv.sys ()
DRV - (sscdbhk5 [System | Running]) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys (Sonic Solutions)
DRV - (ssrtln [System | Running]) -- C:\WINDOWS\system32\drivers\ssrtln.sys (Sonic Solutions)
DRV - (tfsnboio [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnboio.sys (Sonic Solutions)
DRV - (tfsncofs [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsncofs.sys (Sonic Solutions)
DRV - (tfsndrct [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsndrct.sys (Sonic Solutions)
DRV - (tfsndres [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsndres.sys (Sonic Solutions)
DRV - (tfsnifs [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnifs.sys (Sonic Solutions)
DRV - (tfsnopio [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnopio.sys (Sonic Solutions)
DRV - (tfsnpool [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnpool.sys (Sonic Solutions)
DRV - (tfsnudf [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnudf.sys (Sonic Solutions)
DRV - (tfsnudfa [Auto | Running]) -- C:\WINDOWS\system32\dla\tfsnudfa.sys (Sonic Solutions)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\usbaapl.sys (Apple, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Update_Check_Page = http://www.microsoft.com/isapi/redir.dll?P...mp;Ar=ie5update
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

O1 HOSTS File: (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (MSNToolBandBHO) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (MSN) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe" ()
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" (CyberLink Corp.)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN (FUJI PHOTO FILM CO., LTD.)
O4 - HKLM..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup (Illysoft LLC)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r (Sonic Solutions)
O4 - HKCU..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp (AOL LLC)
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [Sonic RecordNow!] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll (Sun Microsystems, Inc.)
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [NTDS] - C:\WINDOWS\system32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [Network Location Awareness (NLA) Namespace] - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [NWLink IPX/SPX/NetBIOS Compatible Transport Protocol] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: ([]msn in My Computer)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab (TTestGenXInstallObject)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} http://asp.mathxl.co...nstallAsst2.cab (Pearson Installation Assistant 2)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} http://asp.mathxl.co.../MathPlayer.cab (Pearson MathXL Player)
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\system32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (sqkmyv.dll) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\system32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\system32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\system32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\system32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( schannel.dll) - C:\WINDOWS\system32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( digest.dll) - C:\WINDOWS\system32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( msnsspc.dll) - C:\WINDOWS\system32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\system32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\system32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\system32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\system32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\system32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[2009/02/12 21:07:53 | 00,491,008 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Matt\Desktop\OTListIt2.exe
[2009/02/11 21:11:38 | 00,000,268 | -H-- | C] () -- C:\sqmdata15.sqm
[2009/02/11 21:11:38 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt15.sqm
[2009/02/11 11:49:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\Application Data\Malwarebytes
[2009/02/11 11:49:35 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/02/11 11:49:35 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/11 11:49:33 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/02/11 11:49:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/02/11 11:49:31 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/02/11 11:48:55 | 02,737,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Matt\Desktop\mbam-setup.exe
[2009/02/11 01:21:43 | 00,016,384 | ---- | C] () -- C:\Documents and Settings\Matt\Desktop\EXPERIENTIAL D.doc
[2009/02/10 23:26:18 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\drdjlu.dll
[2009/02/10 23:26:17 | 00,129,024 | ---- | C] () -- C:\WINDOWS\System32\etlgryxa.dll
[2009/02/10 23:23:18 | 01,602,666 | -HS- | C] () -- C:\WINDOWS\System32\aujiaxaw.ini
[2009/02/10 21:46:00 | 05,078,248 | ---- | C] () -- C:\Documents and Settings\Matt\Desktop\The Absence of Light.mp3
[2009/02/10 17:50:32 | 00,000,268 | -H-- | C] () -- C:\sqmdata14.sqm
[2009/02/10 17:50:31 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt14.sqm
[2009/02/10 08:55:52 | 12,991,488 | ---- | C] () -- C:\Documents and Settings\Matt\My Documents\INCOMPLETE~04 Nostalgia Of The Infinite (Homage to De Chirico).mp3
[2009/02/10 01:25:46 | 00,025,600 | ---- | C] () -- C:\Documents and Settings\Matt\My Documents\INCOMPLETE~03 Hermetic Discourse.mp3
[2009/02/10 00:53:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\My Documents\Ghengis Tron
[2009/02/09 23:56:14 | 15,859,487 | ---- | C] () -- C:\Documents and Settings\Matt\My Documents\02 No.mp3
[2009/02/09 23:23:59 | 01,602,667 | -HS- | C] () -- C:\WINDOWS\System32\qakvaamu.ini
[2009/02/09 23:15:53 | 00,000,314 | ---- | C] () -- C:\WINDOWS\tasks\wbteylhw.job
[2009/02/09 23:14:16 | 00,004,554 | ---- | C] () -- C:\Documents and Settings\Matt\My Documents\00-genghis_tron-board_up_the_house-2008.nfo
[2009/02/09 23:10:49 | 17,735,287 | ---- | C] () -- C:\Documents and Settings\Matt\My Documents\01 The Threshold Of Liberty.mp3
[2009/02/09 23:00:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\My Documents\Steve Moore
[2009/02/09 09:39:29 | 00,001,397 | ---- | C] () -- C:\Documents and Settings\Matt\My Documents\00-severed_saviour--servile_insurrection-promo-2008.nfo
[2009/02/09 08:39:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\My Documents\North-What You Were
[2009/02/09 08:37:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\My Documents\Zombi-Spirit Animal
[2009/01/27 15:20:04 | 03,907,661 | ---- | C] () -- C:\Documents and Settings\Matt\Desktop\02 Track 2.wma
[2009/01/27 15:19:54 | 05,704,868 | ---- | C] () -- C:\Documents and Settings\Matt\Desktop\demo -rough.mp3
[2009/01/27 15:04:15 | 04,591,744 | ---- | C] () -- C:\Documents and Settings\Matt\Desktop\real deal.mp3
[2009/01/26 18:49:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Matt\Application Data\MSN6
[2009/01/26 18:49:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MSN6

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[5 C:\WINDOWS\*.tmp files]
[2009/02/12 21:07:53 | 00,491,008 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Matt\Desktop\OTListIt2.exe
[2009/02/12 17:00:00 | 00,000,314 | ---- | M] () -- C:\WINDOWS\tasks\wbteylhw.job
[2009/02/12 16:26:23 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/02/12 16:26:23 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/02/12 16:26:23 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/02/12 16:22:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/02/12 16:22:09 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/02/12 16:21:38 | 00,003,888 | ---- | M] () -- C:\WINDOWS\System32\BMXCtrlState-{00000004-00000000-00000002-00001102-00000004-10031102}.rfx
[2009/02/12 16:21:38 | 00,003,888 | ---- | M] () -- C:\WINDOWS\System32\BMXBkpCtrlState-{00000004-00000000-00000002-00001102-00000004-10031102}.rfx
[2009/02/11 21:11:38 | 00,000,268 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/02/11 21:11:38 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/02/11 13:47:51 | 00,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/02/11 13:21:50 | 00,003,759 | ---- | M] () -- C:\WINDOWS\mozver.dat
[2009/02/11 11:49:35 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/02/11 11:49:03 | 02,737,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Matt\Desktop\mbam-setup.exe
[2009/02/11 01:21:43 | 00,016,384 | ---- | M] () -- C:\Documents and Settings\Matt\Desktop\EXPERIENTIAL D.doc
[2009/02/10 23:26:18 | 00,129,024 | ---- | M] () -- C:\WINDOWS\System32\etlgryxa.dll
[2009/02/10 23:26:18 | 00,129,024 | ---- | M] () -- C:\WINDOWS\System32\drdjlu.dll
[2009/02/10 23:23:22 | 01,602,666 | -HS- | M] () -- C:\WINDOWS\System32\aujiaxaw.ini
[2009/02/10 21:54:42 | 05,078,248 | ---- | M] () -- C:\Documents and Settings\Matt\Desktop\The Absence of Light.mp3
[2009/02/10 19:15:02 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/02/10 17:50:32 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/02/10 17:50:31 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/02/10 09:27:43 | 12,991,488 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\INCOMPLETE~04 Nostalgia Of The Infinite (Homage to De Chirico).mp3
[2009/02/10 01:30:31 | 00,025,600 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\INCOMPLETE~03 Hermetic Discourse.mp3
[2009/02/10 01:19:43 | 15,859,487 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\02 No.mp3
[2009/02/09 23:56:06 | 17,735,287 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\01 The Threshold Of Liberty.mp3
[2009/02/09 23:40:50 | 01,602,667 | -HS- | M] () -- C:\WINDOWS\System32\qakvaamu.ini
[2009/02/09 23:14:16 | 00,004,554 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\00-genghis_tron-board_up_the_house-2008.nfo
[2009/02/09 20:12:33 | 00,000,358 | -HS- | M] () -- C:\Documents and Settings\Matt\My Documents\desktop.ini
[2009/02/09 09:39:30 | 00,001,397 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\00-severed_saviour--servile_insurrection-promo-2008.nfo
[2009/02/05 21:21:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/01/27 15:25:27 | 04,591,744 | ---- | M] () -- C:\Documents and Settings\Matt\Desktop\real deal.mp3
[2009/01/16 17:55:54 | 00,000,594 | ---- | M] () -- C:\Documents and Settings\Matt\My Documents\My Sharing Folders.lnk
[2009/01/15 20:36:40 | 00,000,536 | ---- | M] () -- C:\WINDOWS\dellstat.ini
[2009/01/14 16:11:32 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/01/14 16:11:28 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== LOP Check ==========

[2009/02/11 11:49:32 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2008/09/11 03:37:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2008/11/20 04:31:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\acccore
[2008/02/11 17:08:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2008/11/20 04:31:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2008/11/20 04:33:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL OCP
[2008/08/21 12:14:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/01/01 17:13:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2008/10/14 13:17:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\edurulib
[2008/10/15 20:23:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2009/02/11 11:49:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2008/09/11 03:31:38 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/01/26 18:49:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2008/11/04 19:39:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Soulseek
[2008/09/10 02:27:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2008/11/20 04:31:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/09/10 02:22:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/02/11 11:49:46 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Matt\Application Data
[2008/11/20 04:32:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\acccore
[2008/04/02 12:04:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Adobe
[2005/10/17 19:44:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Aim
[2008/09/10 02:28:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Any Video Converter Professional
[2008/09/26 00:37:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Apple Computer
[2009/02/09 23:39:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Avant Browser
[2005/10/18 11:43:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Corel
[2005/10/17 20:22:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Creative
[2005/10/27 13:25:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\CyberLink
[2008/09/10 02:51:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\DivX
[2006/04/30 18:41:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\FUJIFILM
[2005/10/19 23:35:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Help
[2005/12/15 23:34:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\ICQ
[2005/10/03 22:02:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Identities
[2005/10/04 22:10:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Jasc Software Inc
[2005/10/25 22:12:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Leadertech
[2005/10/18 20:47:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Macromedia
[2009/02/11 11:49:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Malwarebytes
[2008/12/03 19:40:19 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Matt\Application Data\Microsoft
[2006/08/21 14:06:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Mozilla
[2009/01/26 18:49:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\MSN6
[2006/05/15 14:35:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\School Zone Preferences
[2005/10/25 21:20:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Sonic
[2006/08/22 18:18:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Sun
[2006/08/21 14:06:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Talkback
[2009/02/03 20:34:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\uTorrent
[2007/02/07 00:59:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\Viewpoint
[2008/10/17 12:46:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Matt\Application Data\WinRAR
[2009/02/05 21:21:02 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2003/07/16 15:36:49 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/02/12 16:22:14 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/02/12 17:00:00 | 00,000,314 | ---- | M] () -- C:\WINDOWS\Tasks\wbteylhw.job

========== Purity Check ==========


========== Alternate Data Streams ==========

@Alternate Data Stream - 101 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:661DFA1C
< End of report >

#8 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 13 February 2009 - 09:21 AM

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Viewpoint Media Player

  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Files
C:\WINDOWS\System32\drdjlu.dll
C:\WINDOWS\System32\etlgryxa.dll
C:\WINDOWS\System32\aujiaxaw.ini
C:\WINDOWS\System32\qakvaamu.ini
C:\WINDOWS\tasks\wbteylhw.job
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\Matt\Application Data\Viewpoint
C:\Program Files\Viewpoint

:Commands
[emptytemp]
[start explorer]
[Reboot]


  • Return to OTListIt2, right click in the "Custom Scans/Fixes" window (under the light blue bar) and choose Paste.

  • Click the red Run Fix button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTListIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please post the OTListIt2 MovedFiles log, the Uninstall list, and a new HijackThis log.

#9 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 13 February 2009 - 07:17 PM

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
DllUnregisterServer procedure not found in C:\WINDOWS\System32\drdjlu.dll
C:\WINDOWS\System32\drdjlu.dll NOT unregistered.
C:\WINDOWS\System32\drdjlu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\System32\etlgryxa.dll
C:\WINDOWS\System32\etlgryxa.dll NOT unregistered.
C:\WINDOWS\System32\etlgryxa.dll moved successfully.
C:\WINDOWS\System32\aujiaxaw.ini moved successfully.
C:\WINDOWS\System32\qakvaamu.ini moved successfully.
C:\WINDOWS\tasks\wbteylhw.job moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint\AxMetaStream_Win moved successfully.
C:\Documents and Settings\All Users\Application Data\Viewpoint moved successfully.
File/Folder C:\Documents and Settings\Matt\Application Data\Viewpoint not found.
File/Folder C:\Program Files\Viewpoint not found.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.0.11 log created on 02132009_190954

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...









ABBYY FineReader 5.0 Sprint Plus
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AIM 6
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
Avant Browser (remove only)
BitLord 0.56
Bonjour
Conexant D850 56K V.9x DFVc Modem
Convert PowerPoint to HTML V1.20
Creative MediaSource
Dell Photo AIO Printer 922
Dell ResourceCD
Digital Line Detect
FinePixViewer Ver.4.3
FUJIFILM USB Driver
Hijackthis 1.99.1
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
IPTV Plugins
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Malwarebytes' Anti-Malware
Microsoft Office PowerPoint Viewer 2003
Microsoft Office Word Viewer 2003
Mozilla Firefox (2.0.0.20)
MSN Toolbar
Nero 6 Demo
NetWaiting
Pack Vista Inspirat 1.1
PowerDVD 5.1
QuickTime
RAW FILE CONVERTER LE
RTC Client API v1.2
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB960714)
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoulSeek 157 NS 13c
SpyNoMore 2.67
TestGen
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Vocabulary Puzzles
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WordPerfect Office 12

#10 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 13 February 2009 - 09:56 PM

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) JRE 6 Update 12.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u12-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u12-windows-i586-p.exe and select "Run as an Administrator.")


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

J2SE Runtime Environment 5.0 Update 6

Please do an online scan with Kaspersky WebScanner

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply, along with a new HijackThis log.

#11 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 15 February 2009 - 12:51 AM

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 15, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 14, 2009 21:19:29
Records in database: 1797429
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 264331
Threat name: 18
Infected objects: 33
Suspicious objects: 0
Duration of the scan: 03:46:08


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\edurulib\yfmvqfsf.exe Infected: Trojan-Downloader.Win32.Obfuscated.dtl 1
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\DTSM8NLF\Binaries2[1].cab Infected: Trojan.Win32.Agent.akkh 1
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\DTSM8NLF\Binaries2[1].cab Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.ba 1
C:\Documents and Settings\Matt\My Documents\Downloads\kasperskyvirusremoval\KasperskyVRT.rar Infected: not-a-virus:PSWTool.Win32.FirePass.r 1
C:\Documents and Settings\Matt\My Documents\Downloads\kasperskyvirusremoval\KasperskyVRT.rar Infected: not-a-virus:PSWTool.Win32.IEPassView.e 1
C:\Documents and Settings\Matt\My Documents\Downloads\Snoop Dogg - Ego Trippin(2008).rar Infected: Trojan.Win32.Monder.gen 4
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\23NI69E7\count[1].htm Infected: Exploit.JS.Pdfka.al 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\23NI69E7\index[2].htm Infected: Trojan-Downloader.JS.Tabletka.a 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\903IZBTZ\smain[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\903IZBTZ\smain[2].htm Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\EWLBJ6LN\smain[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\J9VW53JC\smain[1].htm Infected: Trojan-Downloader.JS.Psyme.amg 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.FraudPack.gfc 1
C:\SDFix\backups\backups.zip Infected: Trojan.Win32.Agent.akkh 1
C:\SDFix\backups\backups.zip Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.ba 1
C:\SDFix\backups\backups.zip Infected: Trojan-Downloader.Win32.FraudLoad.vcow 1
C:\SDFix\backups\backups.zip Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1
C:\SDFix\backups\catchme.zip Infected: Backdoor.Win32.UltimateDefender.a 2
C:\WINDOWS\7h0.sys Infected: Trojan.Win32.Kolweb.g 1
C:\WINDOWS\cl2.exe Infected: Trojan.Win32.Kolweb.h 1
C:\WINDOWS\system32\1oir.dll Infected: Trojan.Win32.Kolweb.f 1
C:\WINDOWS\system32\1rdM8Rpu.exe Infected: Trojan-Downloader.Win32.Firu.anj 1
C:\WINDOWS\system32\7h0.sys Infected: Trojan.Win32.Kolweb.g 1
C:\WINDOWS\system32\9q6t1.dll Infected: Trojan.Win32.Kolweb.f 1
C:\WINDOWS\system32\cl2.exe Infected: Trojan.Win32.Kolweb.h 1
C:\WINDOWS\system32\d50ru.exe Infected: Trojan.Win32.Kolweb.g 1
C:\WINDOWS\system32\ubxtr.exe Infected: Trojan.Win32.Kolweb.g 1
C:\_OTListIt\MovedFiles\02132009_190954\WINDOWS\System32\drdjlu.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.iwr 1
C:\_OTListIt\MovedFiles\02132009_190954\WINDOWS\System32\etlgryxa.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.iwr 1

The selected area was scanned.






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:51:03, on 2/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xrt_Shell] C:\WINDOWS\system32\config\systemprofile\xrt_hxyc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.savewealth.com
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://asp.mathxl.com/wizmodules/testgen/i...GenXInstall.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.co...nstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.co.../MathPlayer.cab
O20 - AppInit_DLLs: sqkmyv.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5437 bytes

#12 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 15 February 2009 - 01:30 PM

  • Please double-click OTListIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Processes
explorer.exe

:Files
C:\Documents and Settings\All Users\Application Data\edurulib\yfmvqfsf.exe
C:\Documents and Settings\Matt\My Documents\Downloads\kasperskyvirusremoval\KasperskyVRT.rar
C:\Documents and Settings\Matt\My Documents\Downloads\Snoop Dogg - Ego Trippin(2008).rar
C:\WINDOWS\7h0.sys
C:\WINDOWS\cl2.exe
C:\WINDOWS\system32\1oir.dll
C:\WINDOWS\system32\1rdM8Rpu.exe
C:\WINDOWS\system32\7h0.sys
C:\WINDOWS\system32\9q6t1.dll
C:\WINDOWS\system32\cl2.exe
C:\WINDOWS\system32\d50ru.exe
C:\WINDOWS\system32\ubxtr.exe

:Commands
[emptytemp]
[start explorer]
[Reboot]


  • Return to OTListIt2, right click in the "Custom Scans/Fixes" window (under the light blue bar) and choose Paste.

  • Click the red Run Fix button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTListIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTListIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post, along with a new HijackThis log.

Is your computer running better now?

#13 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 15 February 2009 - 03:10 PM

========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\Documents and Settings\All Users\Application Data\edurulib\yfmvqfsf.exe moved successfully.
C:\Documents and Settings\Matt\My Documents\Downloads\kasperskyvirusremoval\KasperskyVRT.rar moved successfully.
C:\Documents and Settings\Matt\My Documents\Downloads\Snoop Dogg - Ego Trippin(2008).rar moved successfully.
C:\WINDOWS\7h0.sys moved successfully.
C:\WINDOWS\cl2.exe moved successfully.
C:\WINDOWS\system32\1oir.dll unregistered successfully.
C:\WINDOWS\system32\1oir.dll moved successfully.
C:\WINDOWS\system32\1rdM8Rpu.exe moved successfully.
C:\WINDOWS\system32\7h0.sys moved successfully.
C:\WINDOWS\system32\9q6t1.dll unregistered successfully.
C:\WINDOWS\system32\9q6t1.dll moved successfully.
C:\WINDOWS\system32\cl2.exe moved successfully.
C:\WINDOWS\system32\d50ru.exe moved successfully.
C:\WINDOWS\system32\ubxtr.exe moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_620.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.0.11 log created on 02152009_160520

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_620.dat not found!
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\2ebfjp5o.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...





Yes its running much better... thank you. i am still getting some window security alert pop ups at the bottom of the screen... i dont know if thats bad or not

#14 handhfan

  • Group: Malware Removal
  • Posts: 13,659
  • Joined: 15-June 06

Posted 15 February 2009 - 04:10 PM

What is it saying, and what does the icon look like. Does it look like this? Posted Image

#15 mbowling

  • Group: Member
  • Posts: 14
  • Joined: 15-October 08

Posted 15 February 2009 - 05:39 PM

yes it looks like that... It says "your computer is not protected and may be infected" and things like that.

Share this topic:


  • 2 Pages +
  • 1
  • 2