Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan SHeur2, Trojan Agent, Rundll32 problems - have popups, lagging,

Started by kristen08 , Mar 25 2009 07:13 PM

  • Please log in to reply

#1
kristen08
Posted 25 March 2009 - 07:13 PM

kristen08

    New Member

  • Member
  • Pip
  • 4 posts
My computer has been lagging, there's constant popups and redirected searches, and I get a rundll32 error quite often. I have AVG and it's detected these Trojans but I can't seem to get rid of them. I also have a HijackThis log but I don't know how to analyze it. Could someone PLEASE help?
  • 0

Advertisements

#2
kahdah
Posted 26 March 2009 - 06:38 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello kristen08

Welcome to G2Go. :)
=====================
  • Download OTListIt2 to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download the GMER Rootkit Scanner.
Click the Download exe button and save the randomly named file to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click randomlynamed.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#3
kristen08
Posted 26 March 2009 - 12:38 PM

kristen08

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Contents of OTListIt.Txt

OTListIt logfile created on: 3/26/2009 1:18:02 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

893.57 Mb Total Physical Memory | 320.54 Mb Available Physical Memory | 35.87% Memory free
2.11 Gb Paging File | 1.51 Gb Available in Paging File | 71.59% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 181.01 Gb Total Space | 123.90 Gb Free Space | 68.45% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 2.12 Gb Free Space | 40.07% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-B127DF9F9E
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe ()
PRC - C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
PRC - C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp.)
PRC - C:\WINDOWS\zHotkey.exe ()
PRC - C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe ()
PRC - C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
PRC - C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
PRC - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe ()
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\AOL\1234482231\EE\AOLHostManager.exe (America Online, Inc.)
PRC - C:\Program Files\SiteAdvisor\6173\SiteAdv.exe ()
PRC - C:\Program Files\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
PRC - C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
PRC - C:\Program Files\Common Files\AOL\1234482231\EE\AOLServiceHost.exe (America Online, Inc.)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (America Online)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
PRC - c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
PRC - C:\Program Files\SiteAdvisor\6173\SAService.exe ()
PRC - C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
PRC - C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
PRC - C:\WINDOWS\eHome\ehmsas.exe (Microsoft Corporation)
PRC - C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
PRC - C:\Documents and Settings\Owner\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AOL ACS [Auto | Running]) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (America Online)
SRV - (AOL TopSpeedMonitor [Auto | Running]) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (Ati HotKey Poller [Auto | Running]) -- C:\WINDOWS\system32\Ati2evxx.exe (ATI Technologies Inc.)
SRV - (ATI Smart [Auto | Stopped]) -- C:\WINDOWS\system32\ati2sgag.exe ()
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ehRecvr [Auto | Running]) -- C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [Auto | Running]) -- C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
SRV - (gupdate1c9917bc4e3b1d2 [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (iPod Service [On_Demand | Running]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (mcmscsvc [Auto | Running]) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe (McAfee, Inc.)
SRV - (McNASvc [Auto | Running]) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe (McAfee, Inc.)
SRV - (McODS [On_Demand | Stopped]) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McProxy [Auto | Running]) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe (McAfee, Inc.)
SRV - (McrdSvc [Auto | Running]) -- C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
SRV - (McShield [Unknown | Running]) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe (McAfee, Inc.)
SRV - (McSysmon [On_Demand | Running]) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe (McAfee, Inc.)
SRV - (MHN [On_Demand | Stopped]) -- C:\WINDOWS\System32\mhn.dll (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PrismXL [Auto | Running]) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (SiteAdvisor Service [Auto | Running]) -- C:\Program Files\SiteAdvisor\6173\SAService.exe ()
SRV - (UMWdf [On_Demand | Stopped]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (usnjsvc [On_Demand | Stopped]) -- C:\Program Files\MSN Messenger\usnsvc.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (asc [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (ASCTRM [Auto | Running]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (ati2mtag [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (Cdr4_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Sonic Solutions)
DRV - (Cdralw2k [System | Running]) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Sonic Solutions)
DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (iaStor [Boot | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS (Intel Corporation)
DRV - (IntcAzAudAddService [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mfeavfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfebopk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (mfehidk [System | Running]) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mferkdk [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\mferkdk.sys (McAfee, Inc.)
DRV - (mfesmfk [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\mfesmfk.sys (McAfee, Inc.)
DRV - (MPFP [System | Running]) -- C:\WINDOWS\System32\Drivers\Mpfp.sys (McAfee, Inc.)
DRV - (mraid35x [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (RTL8023xp [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139 [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\RTL8139.SYS (Realtek Semiconductor Corporation)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (sisagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Sparrow [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (symc810 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (ultra [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (wanatw [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.c...h...DTP&M=T5212

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll ()
O2 - BHO: (no name) - {3c1b916d-a35a-4109-bcaa-a95c2e425772} - Reg Error: Key error. File not found
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll (Gateway Inc.)
O2 - BHO: (no name) - {d40cc2b7-b4ec-40ac-86d7-f84601ba504c} - C:\WINDOWS\system32\dgywmn.dll ()
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6173\SiteAdv.dll ()
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" ()
O4 - HKLM..\Run: [CHotkey] zHotkey.exe ()
O4 - HKLM..\Run: [CPMdfc0dafc] Rundll32.exe "c:\windows\system32\wiyoyova.dll",a ()
O4 - HKLM..\Run: [dcf3e960] rundll32.exe "C:\WINDOWS\system32\rijedatu.dll",b ()
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup ()
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1234482231\EE\AOLHostManager.exe (America Online, Inc.)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe (SoftThinks)
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdv.exe ()
O4 - HKLM..\Run: [yibonikero] Rundll32.exe "C:\WINDOWS\system32\mawisega.dll",s File not found
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation)
O4 - HKCU..\Run: [Power2GoExpress] NA File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk = C:\Program Files\BigFix\bigfix.exe (BigFix Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll (Google Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [Tcpip] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [NTDS] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [Network Location Awareness (NLA) Namespace] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\system32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 3 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.micr...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O16 - DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.5.0_02)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\system32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\system32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll ()
O20 - AppInit_DLLs: (C:\WINDOWS\system32\nebapepa.dll) - C:\WINDOWS\system32\nebapepa.dll File not found
O20 - AppInit_DLLs: (dgywmn.dll) - C:\WINDOWS\system32\dgywmn.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\wiyoyova.dll) - c:\windows\system32\wiyoyova.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\system32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\system32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\system32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\system32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\system32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\dimsntfy: DllName - %SystemRoot%\System32\dimsntfy.dll - C:\WINDOWS\System32\dimsntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\system32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\system32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\system32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\system32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\wiyoyova.dll ()
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\system32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\system32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\system32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - STS - c:\windows\system32\wiyoyova.dll ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\system32\shell32.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\system32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( schannel.dll) - C:\WINDOWS\system32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( digest.dll) - C:\WINDOWS\system32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - ( msnsspc.dll) - C:\WINDOWS\system32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O32 - Autorun File - D:\Autorun.inf () - [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/03/26 13:15:13 | 00,498,688 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTListIt2.exe
[2009/03/26 02:01:30 | 24,768,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/26 01:39:14 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Desktop\McafeeRootkitDetective
[2009/03/26 01:38:14 | 01,728,150 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\McafeeRootkitDetective.zip
[2009/03/26 01:12:02 | 00,000,000 | ---D | C] -- C:\Program Files\SiteAdvisor
[2009/03/26 01:12:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
[2009/03/26 01:12:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2009/03/26 01:10:33 | 00,033,832 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/03/26 01:10:28 | 00,079,304 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/03/26 01:10:28 | 00,040,488 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/03/26 01:10:28 | 00,035,240 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/03/26 01:10:27 | 00,201,320 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/03/26 01:10:18 | 00,113,952 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2009/03/26 01:09:55 | 00,000,340 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/03/26 01:09:54 | 00,000,332 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/03/26 01:09:16 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/03/26 01:09:03 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/03/25 20:20:14 | 00,000,268 | -H-- | C] () -- C:\sqmdata14.sqm
[2009/03/25 20:20:14 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt14.sqm
[2009/03/25 20:18:12 | 00,091,848 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\AVG results.csv
[2009/03/25 19:26:22 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/03/25 19:26:19 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2009/03/25 17:24:07 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/03/25 17:05:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\AdobeUM
[2009/03/25 16:35:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\SEMO Homework
[2009/03/24 23:58:51 | 00,000,268 | -H-- | C] () -- C:\sqmdata13.sqm
[2009/03/24 23:58:51 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt13.sqm
[2009/03/24 22:41:18 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt12.sqm
[2009/03/24 22:41:18 | 00,000,232 | -H-- | C] () -- C:\sqmdata12.sqm
[2009/03/24 22:32:51 | 00,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2009/03/24 22:32:51 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/03/24 22:32:26 | 03,321,749 | -HS- | C] () -- C:\WINDOWS\System32\utadejir.ini
[2009/03/24 22:32:11 | 00,128,000 | -HS- | C] () -- C:\WINDOWS\System32\dgywmn.dll
[2009/03/24 22:23:16 | 00,000,268 | -H-- | C] () -- C:\sqmdata11.sqm
[2009/03/24 22:23:16 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt11.sqm
[2009/03/24 22:05:29 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Defender
[2009/03/24 22:02:32 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/03/24 21:38:01 | 00,000,268 | -H-- | C] () -- C:\sqmdata10.sqm
[2009/03/24 21:38:01 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt10.sqm
[2009/03/24 14:30:11 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2009/03/24 14:10:58 | 00,000,268 | -H-- | C] () -- C:\sqmdata09.sqm
[2009/03/24 14:10:58 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt09.sqm
[2009/03/24 14:03:19 | 00,131,072 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mclsp.dll
[2009/03/24 14:03:19 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\instlsp.exe
[2009/03/24 14:03:19 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sporder.dll
[2009/03/24 14:00:43 | 00,000,268 | -H-- | C] () -- C:\sqmdata08.sqm
[2009/03/24 14:00:43 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt08.sqm
[2009/03/24 10:32:09 | 01,410,315 | -HS- | C] () -- C:\WINDOWS\System32\obewojot.ini
[2009/03/24 10:31:54 | 00,129,024 | -HS- | C] (Lextek International) -- C:\WINDOWS\System32\pnqutn.dll
[2009/03/23 23:21:01 | 00,000,280 | -H-- | C] () -- C:\sqmdata07.sqm
[2009/03/23 23:21:01 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt07.sqm
[2009/03/23 22:31:58 | 01,410,297 | -HS- | C] () -- C:\WINDOWS\System32\ebuvakew.ini
[2009/03/23 22:31:49 | 00,129,024 | -HS- | C] (Lextek International) -- C:\WINDOWS\System32\cnzcli.dll
[2009/03/23 16:52:01 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt06.sqm
[2009/03/23 16:52:01 | 00,000,232 | -H-- | C] () -- C:\sqmdata06.sqm
[2009/03/23 16:51:00 | 00,000,268 | -H-- | C] () -- C:\sqmdata05.sqm
[2009/03/23 16:51:00 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt05.sqm
[2009/03/23 10:32:24 | 01,791,439 | -HS- | C] () -- C:\WINDOWS\System32\ijayosih.ini
[2009/03/22 23:02:34 | 00,000,268 | -H-- | C] () -- C:\sqmdata04.sqm
[2009/03/22 23:02:34 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt04.sqm
[2009/03/22 21:56:44 | 01,791,430 | -HS- | C] () -- C:\WINDOWS\System32\ibukulol.ini
[2009/03/09 15:51:37 | 00,000,882 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\UTest Secure Browser.lnk
[2009/03/09 15:51:36 | 00,000,000 | ---D | C] -- C:\Program Files\cstl
[2009/03/08 16:13:26 | 00,057,856 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\FE 200 Exam I study guide.doc
[2009/03/05 17:38:47 | 00,000,626 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Ares.lnk
[2009/03/05 17:38:44 | 00,000,000 | ---D | C] -- C:\Program Files\Ares
[2009/03/04 14:52:40 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\Movies
[2009/03/01 21:02:02 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2009/03/01 21:02:01 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\usbscan.sys
[2009/03/01 21:02:01 | 00,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2009/03/01 21:02:00 | 00,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2009/02/28 00:21:08 | 00,000,268 | -H-- | C] () -- C:\sqmdata03.sqm
[2009/02/28 00:21:08 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt03.sqm
[2009/02/27 17:41:17 | 00,353,682 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\C--Documents and Settings-Owner-Local Settings-Temporary Internet Files-Content.IE5-0D14PF97-order_history[1]0001.mdi
[2009/02/27 17:40:50 | 00,341,948 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\C--Documents and Settings-Owner-Local Settings-Temporary Internet Files-Content.IE5-0D14PF97-order_history[1].mdi
[2009/02/26 23:44:34 | 00,000,268 | -H-- | C] () -- C:\sqmdata02.sqm
[2009/02/26 23:44:34 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt02.sqm
[2009/02/26 16:02:01 | 00,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2009/02/26 15:22:25 | 00,000,268 | -H-- | C] () -- C:\sqmdata01.sqm
[2009/02/26 15:22:25 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt01.sqm
[2009/02/26 14:47:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\scripting
[2009/02/26 14:47:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\l2schemas
[2009/02/26 14:46:59 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\en
[2009/02/26 14:46:58 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\bits
[2009/02/26 14:43:22 | 00,000,000 | ---D | C] -- C:\WINDOWS\ServicePackFiles
[2009/02/26 14:35:33 | 00,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstall$
[2009/02/26 00:18:18 | 00,000,268 | -H-- | C] () -- C:\sqmdata00.sqm
[2009/02/26 00:18:18 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt00.sqm
[2009/02/25 01:22:02 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\My Sharing Folders.lnk
[2009/02/25 01:21:05 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\My Received Files
[2009/02/25 01:20:51 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2009/02/25 01:20:45 | 00,000,000 | ---D | C] -- C:\Program Files\MSN Messenger

========== Files - Modified Within 30 Days ==========

[2 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009/03/26 13:15:22 | 00,498,688 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTListIt2.exe
[2009/03/26 08:34:34 | 00,000,714 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/26 08:34:17 | 00,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/03/26 08:34:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/26 08:34:14 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/26 08:34:13 | 93,704,6016 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/26 01:38:28 | 01,728,150 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\McafeeRootkitDetective.zip
[2009/03/26 01:09:55 | 00,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/03/26 01:09:54 | 00,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/03/26 01:04:00 | 03,321,749 | -HS- | M] () -- C:\WINDOWS\System32\utadejir.ini
[2009/03/25 20:27:25 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\My Sharing Folders.lnk
[2009/03/25 20:20:14 | 00,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/03/25 20:20:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009/03/25 20:18:12 | 00,091,848 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\AVG results.csv
[2009/03/25 19:26:22 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk
[2009/03/24 23:58:51 | 00,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2009/03/24 23:58:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009/03/24 23:50:39 | 00,008,704 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/24 23:06:56 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\nitenuji
[2009/03/24 22:41:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009/03/24 22:41:18 | 00,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009/03/24 22:32:17 | 00,089,600 | -HS- | M] () -- C:\WINDOWS\System32\rijedatu.dll
[2009/03/24 22:32:11 | 00,128,000 | -HS- | M] () -- C:\WINDOWS\System32\dgywmn.dll
[2009/03/24 22:32:09 | 00,094,720 | -HS- | M] () -- C:\WINDOWS\System32\wiyoyova.dll
[2009/03/24 22:23:16 | 00,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2009/03/24 22:23:16 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009/03/24 22:18:51 | 01,410,315 | -HS- | M] () -- C:\WINDOWS\System32\obewojot.ini
[2009/03/24 22:10:54 | 00,086,688 | ---- | M] () -- C:\WINDOWS\System32\Status.MPF
[2009/03/24 22:04:48 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/24 21:38:01 | 00,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2009/03/24 21:38:01 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009/03/24 14:32:16 | 00,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/24 14:10:58 | 00,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2009/03/24 14:10:58 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009/03/24 14:00:43 | 00,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2009/03/24 14:00:43 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009/03/24 10:31:53 | 00,129,024 | -HS- | M] (Lextek International) -- C:\WINDOWS\System32\zowavami.dll
[2009/03/24 10:31:53 | 00,129,024 | -HS- | M] (Lextek International) -- C:\WINDOWS\System32\pnqutn.dll
[2009/03/24 10:31:51 | 00,090,624 | ---- | M] (Simple Software Solutions, Inc.) -- C:\WINDOWS\System32\tojowebo.dll
[2009/03/23 23:21:01 | 00,000,280 | -H-- | M] () -- C:\sqmdata07.sqm
[2009/03/23 23:21:01 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009/03/23 22:54:50 | 01,410,297 | -HS- | M] () -- C:\WINDOWS\System32\ebuvakew.ini
[2009/03/23 22:31:49 | 00,129,024 | -HS- | M] (Lextek International) -- C:\WINDOWS\System32\jalopeya.dll
[2009/03/23 22:31:49 | 00,129,024 | -HS- | M] (Lextek International) -- C:\WINDOWS\System32\cnzcli.dll
[2009/03/23 22:31:48 | 00,096,256 | -HS- | M] (Lextek International) -- C:\WINDOWS\System32\sufarudi.dll
[2009/03/23 18:23:36 | 00,403,968 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/23 18:23:36 | 00,063,188 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/23 18:23:35 | 00,471,768 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/23 16:52:01 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009/03/23 16:52:01 | 00,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009/03/23 16:51:00 | 00,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2009/03/23 16:51:00 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009/03/23 11:02:25 | 01,791,439 | -HS- | M] () -- C:\WINDOWS\System32\ijayosih.ini
[2009/03/23 10:32:25 | 01,791,430 | -HS- | M] () -- C:\WINDOWS\System32\ibukulol.ini
[2009/03/23 10:32:18 | 00,090,112 | ---- | M] (Simple Software Solutions, Inc.) -- C:\WINDOWS\System32\hisoyaji.dll
[2009/03/22 23:02:34 | 00,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2009/03/22 23:02:34 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009/03/13 22:46:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/03/11 09:52:16 | 00,177,056 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/09 15:51:44 | 00,057,856 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\FE 200 Exam I study guide.doc
[2009/03/09 15:51:37 | 00,000,882 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\UTest Secure Browser.lnk
[2009/03/05 17:38:47 | 00,000,626 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Ares.lnk
[2009/02/28 00:21:08 | 00,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2009/02/28 00:21:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009/02/27 17:41:18 | 00,353,682 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\C--Documents and Settings-Owner-Local Settings-Temporary Internet Files-Content.IE5-0D14PF97-order_history[1]0001.mdi
[2009/02/27 17:40:53 | 00,341,948 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\C--Documents and Settings-Owner-Local Settings-Temporary Internet Files-Content.IE5-0D14PF97-order_history[1].mdi
[2009/02/26 23:44:34 | 00,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2009/02/26 23:44:34 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009/02/26 16:06:06 | 00,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2009/02/26 16:05:41 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Windows Live Messenger.lnk
[2009/02/26 15:22:25 | 00,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2009/02/26 15:22:25 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009/02/26 14:40:07 | 00,250,048 | RHS- | M] () -- C:\ntldr
[2009/02/26 00:18:18 | 00,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2009/02/26 00:18:18 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009/02/25 12:55:00 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe

========== LOP Check ==========

[2009/03/26 01:12:02 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/02/21 18:56:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2009/02/12 18:40:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2009/02/12 18:45:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2009/02/21 18:50:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2009/02/21 18:55:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/02/16 07:38:27 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/02/18 22:14:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CyberLink
[2009/03/26 01:12:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/03/24 22:11:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee.com
[2009/03/09 22:18:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee.com Personal Firewall
[2009/03/24 22:10:34 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/02/12 18:41:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/03/24 22:32:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/02/20 19:15:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nova Development
[2009/02/12 17:57:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2009/02/12 18:44:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/02/14 12:41:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2009/03/26 01:14:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
[2009/02/12 18:44:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/02/12 18:38:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/03/24 22:02:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/03/26 01:12:02 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Owner\Application Data
[2009/02/17 07:01:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2009/03/25 17:05:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\AdobeUM
[2009/02/21 20:04:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Apple Computer
[2009/02/21 17:31:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\CyberLink
[2009/02/22 21:59:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\DivX
[2009/02/12 17:57:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2009/03/11 20:55:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LimeWire
[2009/02/13 04:51:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Macromedia
[2009/02/18 09:00:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\McAfee.com Personal Firewall
[2009/03/01 21:03:07 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2009/02/23 00:11:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\MSNInstaller
[2009/02/20 19:15:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Nova Development
[2009/02/12 18:54:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2009/03/26 12:55:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SiteAdvisor
[2009/02/13 04:49:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Viewpoint
[2009/02/12 18:45:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
[2009/03/13 22:46:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/10 14:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/26 08:34:17 | 00,000,880 | ---- | M] () -- C:\WINDOWS\Tasks\GoogleUpdateTaskMachine.job
[2009/03/26 01:09:55 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/03/26 01:09:54 | 00,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/03/26 08:34:17 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

< End of report >




Contents of Extras.Txt

OTListIt Extras logfile created on: 3/26/2009 1:18:02 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.7.2 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

893.57 Mb Total Physical Memory | 320.54 Mb Available Physical Memory | 35.87% Memory free
2.11 Gb Paging File | 1.51 Gb Available in Paging File | 71.59% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 181.01 Gb Total Space | 123.90 Gb Free Space | 68.45% Space Free | Partition Type: NTFS
Drive D: | 5.28 Gb Total Space | 2.12 Gb Free Space | 40.07% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: YOUR-B127DF9F9E
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 (Microsoft Corporation)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 (Microsoft Corporation)
C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 (Microsoft Corporation)
C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader (America Online, Inc.)
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL (America Online)
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL (America Online)
C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL (America Online, Inc.)
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon (America Online, Inc)
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed (America Online Inc)
C:\Program Files\Common Files\AOL\1234482231\EE\AOLServiceHost.exe:*:Enabled:AOL (America Online, Inc.)
C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL (America Online Inc.)
C:\Program Files\Common Files\AOL\AOL Spyware Protection\AOLSP Scheduler.exe:*:Enabled:AOL ()
C:\Program Files\Common Files\AOL\AOL Spyware Protection\asp.exe:*:Enabled:AOL (AOL Spyware Protection)
C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL (Gteko Ltd.)
C:\My Backup -- 09-02-12 0352PM\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire (Lime Wire, LLC)
%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 (Microsoft Corporation)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 (Microsoft Corporation)
C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) (Microsoft Corporation)
C:\WINDOWS\explorer.exe:*:Enabled:Explorer (Microsoft Corporation)
C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui (Microsoft Corporation)
C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon (Microsoft Corporation)
C:\Program Files\BigFix\bigfix.exe:*:Enabled:bigfix (BigFix Inc.)
C:\Program Files\Ares\Ares.exe:*:Enabled:Ares p2p for windows (Ares Development Group)
C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent (McAfee, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite eMachines
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2A9C3F41-DACA-37AB-84FB-2E6193C42151}" = Google Gears
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = Browser Address Error Redirector
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go 4.0
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E66ECBD-FCA7-4AE1-A8C5-1CA78BEEB057}" = Multimedia Keyboard Driver
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}" = REALTEK GbE & FE Ethernet PCI NIC Driver
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BBBCAE4B-B416-4182-A6F2-438180894A81}" = Napster
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}" = iTunes
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"America Online us" = America Online (Choose which version to remove)
"AOL Connectivity Services" = AOL Connectivity Services
"AOL Spyware Protection" = AOL Spyware Protection
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"Ares" = Ares 2.1.1
"ATI Display Driver" = ATI Display Driver
"BigFix" = BigFix
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"Gateway Game Console" = Gateway Game Console
"Google Desktop" = Google Desktop
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"Money2006b" = Microsoft Money 2006
"MSC" = McAfee SecurityCenter
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"Port Magic" = Pure Networks Port Magic
"RealPlayer 6.0" = RealPlayer Basic
"ViewpointMediaPlayer" = Viewpoint Media Player
"WGA" = Windows Genuine Advantage Validation Tool
"WildTangent CDA" = WildTangent Web Driver
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"WT010646" = Bejeweled 2 Deluxe
"WT010647" = Blackhawk Striker 2
"WT010648" = Blasterball 2 Revolution
"WT010649" = Diner Dash
"WT010650" = FATE
"WT010651" = Penguins!
"WT010654" = SCRABBLE
"WT010655" = Tradewinds
"WT010660" = Polar Bowler
"WT010661" = Polar Golfer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/24/2009 3:29:09 PM | Computer Name = YOUR-B127DF9F9E | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16791, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 3/24/2009 4:39:26 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 4:39:26 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 4:53:26 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 4:53:26 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 6:19:27 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 6:19:27 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 6:46:27 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 6:46:27 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}
and it will not be loaded. This is most likely caused by a faulty registration.

Error - 3/24/2009 7:59:27 PM | Computer Name = YOUR-B127DF9F9E | Source = Userenv | ID = 1041
Description = Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE}
and it will not be loaded. This is most likely caused by a faulty registration.

[ System Events ]
Error - 3/26/2009 12:25:37 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7034
Description = The SSDP Discovery Service service terminated unexpectedly. It has
done this 2 time(s).

Error - 3/26/2009 12:25:43 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 3/26/2009 12:25:51 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7031
Description = The Media Center Extender Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 3/26/2009 12:25:58 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 3/26/2009 12:34:16 AM | Computer Name = YOUR-B127DF9F9E | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 3/26/2009 12:44:18 AM | Computer Name = YOUR-B127DF9F9E | Source = DCOM | ID = 10005
Description = DCOM got error "%1058" attempting to start the service wuauserv with
arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Error - 3/26/2009 12:57:36 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7034
Description = The TCP/IP NetBIOS Helper service terminated unexpectedly. It has
done this 1 time(s).

Error - 3/26/2009 12:57:36 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.

Error - 3/26/2009 12:57:36 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7034
Description = The WebClient service terminated unexpectedly. It has done this 1
time(s).

Error - 3/26/2009 12:59:16 AM | Computer Name = YOUR-B127DF9F9E | Source = Service Control Manager | ID = 7031
Description = The Remote Registry service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 1000 milliseconds:
Restart the service.


< End of report >


Contents of GMER.txt

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-26 13:33:37
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED6C99AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xED6C9A41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED6C9958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED6C996C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED6C9A55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED6C9A81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xED6C9AEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xED6C9AD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED6C99EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xED6C9B1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xED6C9A2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xED6C9930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xED6C9944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED6C99BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xED6C9B57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xED6C9AC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xED6C9AAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED6C9A6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xED6C9B43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xED6C9B2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED6C9996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED6C9982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xED6C9A97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED6C9A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xED6C9B05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED6C9A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED6C99D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\tlntsvr.exe (*** hidden *** ) [DISABLED] TlntSvr <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
  • 0

#4
kahdah
Posted 27 March 2009 - 05:16 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
  • 0

#5
kristen08
Posted 28 March 2009 - 06:41 AM

kristen08

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
ComboFix 09-03-27.02 - Owner 2009-03-28 7:28:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.468 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cnzcli.dll
c:\windows\system32\dgywmn.dll
c:\windows\system32\ebuvakew.ini
c:\windows\system32\eqkkiv.dll
c:\windows\system32\hisoyaji.dll
c:\windows\system32\ibukulol.ini
c:\windows\system32\ijayosih.ini
c:\windows\system32\jalopeya.dll
c:\windows\system32\lolukubi.dll
c:\windows\system32\mawijeho.dll
c:\windows\system32\mejowehi.dll
c:\windows\system32\nanehutu.dll
c:\windows\system32\obewojot.ini
c:\windows\system32\paloyihi.dll
c:\windows\system32\pnqutn.dll
c:\windows\system32\rijedatu.dll
c:\windows\system32\sjbsmg.dll
c:\windows\system32\sufarudi.dll
c:\windows\system32\tojowebo.dll
c:\windows\system32\utadejir.ini
c:\windows\system32\vazoguti.dll
c:\windows\system32\wekavube.dll
c:\windows\system32\wihizada.dll
c:\windows\system32\wiyoyova.dll
c:\windows\system32\zowavami.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PCIDump


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-27 10:07 . 2009-03-27 10:07 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-03-27 10:07 . 2009-03-27 10:07 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-03-26 01:12 . 2009-03-27 10:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-03-26 01:10 . 2007-11-22 06:44 201,320 --a------ c:\windows\system32\drivers\mfehidk.sys
2009-03-26 01:10 . 2007-07-13 06:20 113,952 --a------ c:\windows\system32\drivers\Mpfp.sys
2009-03-26 01:10 . 2007-11-22 06:44 79,304 --a------ c:\windows\system32\drivers\mfeavfk.sys
2009-03-26 01:10 . 2007-12-02 12:51 40,488 --a------ c:\windows\system32\drivers\mfesmfk.sys
2009-03-26 01:10 . 2007-11-22 06:44 35,240 --a------ c:\windows\system32\drivers\mfebopk.sys
2009-03-26 01:10 . 2007-11-22 06:44 33,832 --a------ c:\windows\system32\drivers\mferkdk.sys
2009-03-26 01:09 . 2009-03-26 01:09 <DIR> d-------- c:\program files\McAfee.com
2009-03-26 01:09 . 2009-03-26 01:10 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-25 20:20 . 2009-03-25 20:20 268 --ah----- C:\sqmdata14.sqm
2009-03-25 20:20 . 2009-03-25 20:20 244 --ah----- C:\sqmnoopt14.sqm
2009-03-25 19:26 . 2009-03-25 19:26 <DIR> d-------- c:\program files\Trend Micro
2009-03-25 17:24 . 2009-03-25 17:24 <DIR> d-------- C:\VundoFix Backups
2009-03-25 17:05 . 2009-03-25 17:05 <DIR> d-------- c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-24 23:58 . 2009-03-24 23:58 268 --ah----- C:\sqmdata13.sqm
2009-03-24 23:58 . 2009-03-24 23:58 244 --ah----- C:\sqmnoopt13.sqm
2009-03-24 22:41 . 2009-03-24 22:41 244 --ah----- C:\sqmnoopt12.sqm
2009-03-24 22:41 . 2009-03-24 22:41 232 --ah----- C:\sqmdata12.sqm
2009-03-24 22:32 . 2009-03-24 22:32 <DIR> d-------- c:\program files\NortonInstaller
2009-03-24 22:32 . 2009-03-24 22:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-24 22:23 . 2009-03-24 22:23 268 --ah----- C:\sqmdata11.sqm
2009-03-24 22:23 . 2009-03-24 22:23 244 --ah----- C:\sqmnoopt11.sqm
2009-03-24 22:05 . 2009-03-24 22:10 <DIR> d-------- c:\program files\Windows Defender
2009-03-24 21:38 . 2009-03-24 21:38 268 --ah----- C:\sqmdata10.sqm
2009-03-24 21:38 . 2009-03-24 21:38 244 --ah----- C:\sqmnoopt10.sqm
2009-03-24 14:10 . 2009-03-24 14:10 268 --ah----- C:\sqmdata09.sqm
2009-03-24 14:10 . 2009-03-24 14:10 244 --ah----- C:\sqmnoopt09.sqm
2009-03-24 14:03 . 2005-09-28 16:18 131,072 --------- c:\windows\system32\mclsp.dll
2009-03-24 14:03 . 2005-04-20 19:22 32,768 --a------ c:\windows\system32\instlsp.exe
2009-03-24 14:03 . 2005-04-20 19:22 11,264 --a------ c:\windows\system32\sporder.dll
2009-03-24 14:00 . 2009-03-24 14:00 268 --ah----- C:\sqmdata08.sqm
2009-03-24 14:00 . 2009-03-24 14:00 244 --ah----- C:\sqmnoopt08.sqm
2009-03-23 23:21 . 2009-03-23 23:21 280 --ah----- C:\sqmdata07.sqm
2009-03-23 23:21 . 2009-03-23 23:21 244 --ah----- C:\sqmnoopt07.sqm
2009-03-23 16:52 . 2009-03-23 16:52 244 --ah----- C:\sqmnoopt06.sqm
2009-03-23 16:52 . 2009-03-23 16:52 232 --ah----- C:\sqmdata06.sqm
2009-03-23 16:51 . 2009-03-23 16:51 268 --ah----- C:\sqmdata05.sqm
2009-03-23 16:51 . 2009-03-23 16:51 244 --ah----- C:\sqmnoopt05.sqm
2009-03-22 23:02 . 2009-03-22 23:02 268 --ah----- C:\sqmdata04.sqm
2009-03-22 23:02 . 2009-03-22 23:02 244 --ah----- C:\sqmnoopt04.sqm
2009-03-09 15:51 . 2009-03-09 15:51 <DIR> d-------- c:\program files\cstl
2009-03-05 17:38 . 2009-03-05 17:38 <DIR> d-------- c:\program files\Ares
2009-03-01 21:02 . 2008-04-13 19:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2009-03-01 21:02 . 2008-04-13 13:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2009-03-01 21:02 . 2008-04-13 13:45 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2009-03-01 21:02 . 2001-08-17 23:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2009-02-28 00:21 . 2009-02-28 00:21 268 --ah----- C:\sqmdata03.sqm
2009-02-28 00:21 . 2009-02-28 00:21 244 --ah----- C:\sqmnoopt03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 11:51 --------- d-----w c:\program files\McAfee
2009-03-27 15:07 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-25 03:11 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-03-24 19:31 --------- d-----w c:\program files\DivX
2009-03-12 01:55 --------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-03-10 03:18 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com Personal Firewall
2009-02-26 21:05 --------- d-----w c:\program files\MSN Messenger
2009-02-23 05:11 --------- d-----w c:\documents and settings\Owner\Application Data\MSNInstaller
2009-02-23 02:59 --------- d-----w c:\documents and settings\Owner\Application Data\DivX
2009-02-23 02:56 --------- d-----w c:\program files\MSECache
2009-02-22 01:04 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-02-21 23:56 --------- d-----w c:\program files\iTunes
2009-02-21 23:56 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-21 23:55 --------- d-----w c:\program files\iPod
2009-02-21 23:55 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-02-21 23:54 --------- d-----w c:\program files\QuickTime
2009-02-21 23:54 --------- d-----w c:\program files\Bonjour
2009-02-21 23:52 --------- d-----w c:\program files\Apple Software Update
2009-02-21 23:50 --------- d-----w c:\program files\Common Files\Apple
2009-02-21 23:50 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-02-21 22:31 --------- d-----w c:\documents and settings\Owner\Application Data\CyberLink
2009-02-21 00:15 --------- d-----w c:\documents and settings\Owner\Application Data\Nova Development
2009-02-21 00:15 --------- d-----w c:\documents and settings\All Users\Application Data\Nova Development
2009-02-19 03:14 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-18 14:00 --------- d-----w c:\documents and settings\Owner\Application Data\McAfee.com Personal Firewall
2009-02-18 03:48 --------- d-----w c:\program files\Google
2009-02-16 12:38 --------- d--h--w c:\documents and settings\All Users\Application Data\CanonBJ
2009-02-15 13:45 --------- d-----w c:\program files\BigFix
2009-02-14 17:41 --------- d-----w c:\documents and settings\All Users\Application Data\QuickTime
2009-02-13 10:17 --------- d-----w c:\program files\MSXML 4.0
2009-02-13 10:14 --------- d-----w c:\documents and settings\LocalService\Application Data\McAfee.com Personal Firewall
2009-02-13 09:49 --------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2009-02-12 23:54 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-02-12 23:54 --------- d-----w c:\documents and settings\Owner\Application Data\SampleView
2009-02-12 23:54 --------- d-----w c:\documents and settings\Administrator\Application Data\SampleView
2009-02-12 23:46 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-12 23:46 --------- d-----w c:\program files\Realtek
2009-02-12 23:45 --------- d-----w c:\windows\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver
2009-02-12 23:45 --------- d-----w c:\program files\Microsoft Money 2006
2009-02-12 23:45 --------- d-----w c:\program files\Common Files\Nullsoft
2009-02-12 23:45 --------- d-----w c:\program files\Common Files\aolshare
2009-02-12 23:45 --------- d-----w c:\program files\Common Files\AOL
2009-02-12 23:45 --------- d-----w c:\program files\America Online 9.0
2009-02-12 23:45 --------- d-----w c:\documents and settings\Owner\Application Data\You've Got Pictures Screensaver
2009-02-12 23:45 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-02-12 23:45 --------- d-----w c:\documents and settings\Administrator\Application Data\You've Got Pictures Screensaver
2009-02-12 23:44 8,552 ----a-w c:\windows\system32\drivers\asctrm.sys
2009-02-12 23:44 --------- d-----w c:\program files\Viewpoint
2009-02-12 23:44 --------- d-----w c:\program files\Real
2009-02-12 23:44 --------- d-----w c:\program files\Pure Networks
2009-02-12 23:44 --------- d-----w c:\program files\Common Files\Real
2009-02-12 23:44 --------- d-----w c:\program files\Common Files\AolCoach
2009-02-12 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-02-12 23:44 --------- d-----w c:\documents and settings\All Users\Application Data\Pure Networks
2009-02-12 23:43 --------- d-----w c:\program files\Microsoft Works
2009-02-12 23:42 --------- d-----w c:\program files\Napster
2009-02-12 23:42 --------- d-----w c:\program files\MSN Encarta Plus
2009-02-12 23:42 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-02-12 23:41 --------- d-----w c:\program files\Microsoft Digital Image 2006
2009-02-12 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-02-12 23:40 --------- d-----w c:\program files\Common Files\Adobe
2009-02-12 23:38 --------- d-----w c:\program files\Gateway Games
2009-02-12 23:38 --------- d-----w c:\documents and settings\All Users\Application Data\WildTangent
2009-02-12 23:36 --------- d-----w c:\program files\WildTangent
2009-02-12 23:35 --------- d-----w c:\program files\Java
2009-02-12 23:35 --------- d-----w c:\program files\Common Files\InstallShield
2009-02-12 23:34 --------- d-----w c:\program files\Common Files\Java
2009-02-12 23:33 --------- d-----w c:\program files\Digital Media Reader
2009-02-12 23:31 --------- d-----w c:\program files\Microsoft.NET
2009-02-12 23:31 --------- d-----w c:\program files\Microsoft ActiveSync
2009-02-12 23:30 --------- d-----w c:\program files\CyberLink
2009-02-12 23:17 --------- d-----w c:\program files\CONEXANT
2009-02-12 22:57 --------- d-----w c:\program files\Windows Plus
2009-02-12 22:57 --------- d-----w c:\program files\microsoft frontpage
2009-02-12 22:57 --------- d-----w c:\program files\Common Files\New Boundary
2009-02-12 22:57 --------- d-----w c:\documents and settings\All Users\Application Data\Prism Deploy
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-12 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"HostManager"="c:\program files\Common Files\AOL\1234482231\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]
"CHotkey"="zHotkey.exe" [2004-12-08 c:\windows\zHotkey.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2009-02-12 2168360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1234482231\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\My Backup -- 09-02-12 0352PM\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\BigFix\\bigfix.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-27 210216]
S2 gupdate1c9917bc4e3b1d2;Google Update Service (gupdate1c9917bc4e3b1d2);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-17 22:48]

2009-03-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3c1b916d-a35a-4109-bcaa-a95c2e425772} - (no file)
BHO-{d40cc2b7-b4ec-40ac-86d7-f84601ba504c} - c:\windows\system32\dgywmn.dll
HKLM-Run-yibonikero - c:\windows\system32\mawisega.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.myspace.com/
mStart Page = hxxp://www.myspace.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 07:34:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\COMMON~1\AOL\123448~1\EE\AOLServiceHost.exe
c:\progra~1\BigFix\bigfix.exe
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\ehome\mcrdsvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2009-03-28 7:39:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 12:39:38

Pre-Run: 132,849,389,568 bytes free
Post-Run: 132,977,831,936 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

300 --- E O F --- 2009-03-26 07:03:16
  • 0

#6
kahdah
Posted 28 March 2009 - 01:47 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#7
kristen08
Posted 28 March 2009 - 08:35 PM

kristen08

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Malwarebytes' Anti-Malware 1.35
Database version: 1912
Windows 5.1.2600 Service Pack 3

3/28/2009 9:34:44 PM
mbam-log-2009-03-28 (21-34-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 252888
Time elapsed: 2 hour(s), 14 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005923.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005959.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005918.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005919.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005920.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005921.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005922.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005949.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005955.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005956.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005960.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005961.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005962.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP52\A0005964.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\Documents and Settings\Kisten\Local Settings\Temp\seneka12f9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\Documents and Settings\Kisten\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\WINDOWS\system32\nods32.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\WINDOWS\Temp\93.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\WINDOWS\Temp\TDSS952.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\My Backup -- 09-02-12 0352PM\WINDOWS\Temp\UACcda4.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
  • 0

#8
kahdah
Posted 29 March 2009 - 08:29 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Double click on Otlistit to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open one notepad window. OTListIt.Txt a This is saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of this file and post it with your next reply.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP