Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Stubborn... possible trojan.vundo.v, trojan.agent [Closed]

Started by don'tclickthat , Apr 21 2009 06:37 PM

  • This topic is locked This topic is locked

#1
don'tclickthat
Posted 21 April 2009 - 06:37 PM

don'tclickthat

    New Member

  • Member
  • Pip
  • 2 posts
My sister came to me today with her laptop, which runs XP version 2002. When she logs into it, all she got was her background and errors about svchost.exe having to shut down. I went into safemode, which also only showed the background. I ran spybot search and destroy. the computer now freezes on "loading your personal settings" in normal boot. In safe mode,it loads regularly and an error pops up (this one i was smart enough to screencap) "svchost.exe - application error The instruction at "0x40ac9bef" referenced memory at "0x40ac9bef". The memory could not be "read" click on ok to terminate, cancel to debug". Also, I've noticed whatever on it has hidden the security center, and when i try to run window's update, an error pops up. error number0x80072ee2. I ran Malwarebytes, here's the log file.

Malwarebytes' Anti-Malware 1.36
Database version: 2021
Windows 5.1.2600

4/21/2009 5:48:01 PM
mbam-log-2009-04-21 (17-48-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116337
Time elapsed: 17 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 32
Registry Values Infected: 14
Registry Data Items Infected: 3
Folders Infected: 25
Files Infected: 58

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\wprete.dll (Trojan.Vundo.V) -> Delete on reboot.
C:\WINDOWS\system32\hsf73ikmdf3f.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ds43g4nfjkn93.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\at1394 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b16df3c5-8bc7-46ea-afb5-22f62e277661} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2e5cfb78-0fb7-4978-a1c4-dfd381b2069d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/xpreload.ocx (Heuristics.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdctxte (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dhcpsrv (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tukabikike (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf49a0-94f3-42bd-f434-3604812c8955} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcrjfj0e53n (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pgahaquvacaxoj (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reader_s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\xpreload.ocx (Heuristics.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wprete.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Spyware.OnlineGamer) -> Data: c:\progra~1\thunmail\testabd.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\xloadnet (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\rhcrjfj0e53n\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\rhcrjfj0e53n\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail (Spyware.OnlineGamer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\bhqqsamb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bmasqqhb.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bulisazu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\wprete.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hsf73ikmdf3f.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\ds43g4nfjkn93.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\Toshiba\Local Settings\Temp\678555040.ex_ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0033461.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0033481.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0033725.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0033864.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0037070.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0037071.exe (Rogue.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP116\A0037074.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP117\A0039183.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP118\A0042836.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\at1394.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\azton.mt (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bulisaz.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kutosiva.dll.vir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yorefenu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00F1264.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\carH01\carH011065.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\t4m0_22044685329.bk.old (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ThunMail\testabd.dll (Spyware.OnlineGamer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\udewocucafuvah.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Toshiba\Local Settings\Temp\_A00FBBA08B.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\ovmhmkie.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reader_s.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\nvtpm32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\a9k.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dncyool64.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\E.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Surgeon\reader_s.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Local Settings\Temp\winlogqn.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN3.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Toshiba\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiMalwareGuard.lnk (Rogue.AntiMalwareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpcxool64.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN32.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN33.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMaf112c1d.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMaf112c1d.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blphcvjfj0e53n.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lphcvjfj0e53n.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\xpreload.ocx (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdctxte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\dhcp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.


I then allowed Malaware bytes to fix what it could. i had it restart and run again in safe mode.

here's that logfile:
Malwarebytes' Anti-Malware 1.36
Database version: 2021
Windows 5.1.2600

4/21/2009 7:15:41 PM
mbam-log-2009-04-21 (19-15-41).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116284
Time elapsed: 17 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP118\A0046025.dll (Trojan.Vundo.V) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP118\A0046026.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5325A804-6D3E-4F29-8C2D-2684769EA23B}\RP118\A0046027.dll (Trojan.Agent) -> Quarantined and deleted successfully.

I ran vundofix.exe... but it didn't detect anything

these four keep coming back and stubborn.

i ran Rooter, here's the logfile.

Microsoft Windows XP Home Edition (5.1.2600)

C:\ [Fixed] - NTFS - (Total:19077 Mo/Free:3514 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Tue 04/21/2009|19:20

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Internet Explorer\iexplore.exe
---------- C:\WINDOWS\System32\reader_s.exe
---------- C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\816ZW1AB\OTListIt2[1].exe
---------- C:\WINDOWS\System32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Tue 04/21/2009|19:21

----------------------\\ Scan completed at 19:21


and last but not least, i ran OTListIt2... here's that log file.

OTListIt logfile created on: 4/21/2009 7:23:20 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.14.0 Folder = C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\816ZW1AB
Windows XP Home Edition (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2600.0000)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

510.98 Mb Total Physical Memory | 335.51 Mb Available Physical Memory | 65.66% Memory free
1.22 Gb Paging File | 0.86 Gb Available in Paging File | 70.60% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 18.63 Gb Total Space | 7.43 Gb Free Space | 39.89% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: TOSHIBA-USER
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: SafeMode with Networking
Scan Mode: All users
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\reader_s.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\816ZW1AB\OTListIt2[1].exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (aswUpdSv [Auto | Stopped]) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (Ati HotKey Poller [Auto | Stopped]) -- C:\WINDOWS\System32\Ati2evxx.exe ()
SRV - (avast! Antivirus [Auto | Stopped]) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [On_Demand | Stopped]) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [On_Demand | Stopped]) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (BOCore [Auto | Stopped]) -- C:\Program Files\Comodo\CBOClean\BOCORE.exe (COMODO)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IDriverT [On_Demand | Stopped]) -- File not found
SRV - (uploadmgr [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (WmdmPmSp [Auto | Stopped]) -- C:\WINDOWS\System32\mspmspsv.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Aavmker4 [System | Stopped]) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (ac97intc [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)
DRV - (AgereSoftModem [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\AGRSM.sys (Agere Systems)
DRV - (ALCXWDM [On_Demand | Stopped]) -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS (Avance Logic, Inc.)
DRV - (ApfiltrService [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)
DRV - (ASCTRM [Auto | Stopped]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (aswMon2 [Auto | Stopped]) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswRdr [On_Demand | Stopped]) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (aswSP [System | Stopped]) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswTdi [System | Running]) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (ati2mtag [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)
DRV - (BOCDRIVE [On_Demand | Stopped]) -- C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys ()
DRV - (das1b52 [System | Stopped]) -- C:\WINDOWS\System32\drivers\das1b52.sys ()
DRV - (EPOWER [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\hkdrv.sys (Compal Electronic Inc.)
DRV - (ifd7043 [System | Stopped]) -- C:\WINDOWS\System32\drivers\ifd7043.sys ()
DRV - (Parclass [Auto | Stopped]) -- C:\WINDOWS\System32\Drivers\Parclass.sys (Microsoft Corporation)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\DRIVERS\PxHelp20.sys (VERITAS Software, Inc.)
DRV - (rtl8139 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\R8139n51.SYS (Realtek Semiconductor Corporation)
DRV - (slid45d [System | Stopped]) -- C:\WINDOWS\System32\drivers\slid45d.sys ()
DRV - (sorrd [System | Running]) -- C:\WINDOWS\system32\sorrd.sys ()
DRV - (SrvcEKIOMngr [System | Stopped]) -- C:\WINDOWS\System32\Drivers\EKIoMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (SrvcSSIOMngr [System | Stopped]) -- C:\WINDOWS\System32\Drivers\SSIoMngr.sys (COMPAL ELECTRONIC INC.)
DRV - (WUSB54GV4SRV [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\rt2500usb.sys (Ralink Technology Inc.)
DRV - (rombbec [System | Stopped]) -- C:\WINDOWS\System32\drivers\rombbec.sys ()

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-598665437-4149289120-1296836545-500\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
IE - HKU\S-1-5-21-598665437-4149289120-1296836545-500\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKU\S-1-5-21-598665437-4149289120-1296836545-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.toshiba.com
IE - HKU\S-1-5-21-598665437-4149289120-1296836545-500\S-1-5-21-598665437-4149289120-1296836545-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1



O1 HOSTS File: (24 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 jL.chura.pl
O3 - HKU\S-1-5-21-598665437-4149289120-1296836545-500\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe File not found
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [AtiPTA] atiptaxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BOC-427] File not found
O4 - HKLM..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe File not found
O4 - HKLM..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe File not found
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe (Easy Systems Japan Ltd.)
O4 - HKLM..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe (Toshiba Corporation)
O4 - HKLM..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe File not found
O4 - HKLM..\Run: [PCTAgent] C:\Program Files\Parental Controls\PCTHelp.exe File not found
O4 - HKLM..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run (Toshiba Corporation)
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime File not found
O4 - HKLM..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe (Microsoft Corporation)
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER File not found
O4 - HKLM..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix (Safer Networking Limited)
O4 - HKLM..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe File not found
O4 - HKLM..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect (TOSHIBA)
O4 - HKLM..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u File not found
O4 - HKU\.DEFAULT..\Run: [] C:\WINDOWS\TEMP\w3gogltrs.exe File not found
O4 - HKU\.DEFAULT..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1766352832.exe File not found
O4 - HKU\.DEFAULT..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (Microsoft Corporation)
O4 - HKU\.DEFAULT..\Run: [Windows Resurections] C:\WINDOWS\TEMP\w3gogltrs.exe File not found
O4 - HKU\S-1-5-18..\Run: [] C:\WINDOWS\TEMP\w3gogltrs.exe File not found
O4 - HKU\S-1-5-18..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1766352832.exe File not found
O4 - HKU\S-1-5-18..\Run: [reader_s] C:\Documents and Settings\Administrator\reader_s.exe (Microsoft Corporation)
O4 - HKU\S-1-5-18..\Run: [Windows Resurections] C:\WINDOWS\TEMP\w3gogltrs.exe File not found
O4 - HKU\S-1-5-21-598665437-4149289120-1296836545-500..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background File not found
O4 - HKU\S-1-5-21-598665437-4149289120-1296836545-500..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript (Malwarebytes Corporation)
O4 - HKLM..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck (Safer Networking Limited)
O4 - HKLM..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\Toshiba\LOCALS~1\Temp\IXP000.TMP\" (Microsoft Corporation)
O4 - HKU\S-1-5-21-598665437-4149289120-1296836545-500..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\System32\Macromed\Flash\FlashUtil9e.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe (Corel Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe (Nikon Corporation)
O4 - Startup: C:\Documents and Settings\Toshiba\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = File not found
O4 - Startup: C:\Documents and Settings\Toshiba\Start Menu\Programs\Startup\Office Startup.lnk = File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-598665437-4149289120-1296836545-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Sites: sxload.net ([]* in Trusted sites)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {17DF9D0D-036E-424B-98D7-A41E4CE783EF} ms-its:mhtml:file://c:\\nores.mht!http://adxcnet.net/c...::/xpreload.ocx (Reg Error: Key error.)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.t...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase5036.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1239812620258 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1239813511900 (MUWebControl Class)
O16 - DPF: {89521361-EA5B-11D7-97CA-00E08103E149} http://pccfg.ourlink...in/PCTAgent.cab (Parental Controls Agent Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\vnd.ms.radio {3DA2AA3B-3D96-11D2-9BD2-204C4F4F5020} - C:\WINDOWS\System32\msdxm.ocx ()
O20 - AppInit_DLLs: (C:\WINDOWS\System32\kutosiva.dll) - C:\WINDOWS\System32\kutosiva.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\ruziveki.dll) - c:\windows\system32\ruziveki.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\saifx: DllName - saifx.dll - File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O30 - LSA: Authentication Packages - (C:\WINDOWS\System32\byXPHxuV) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[36 C:\*.tmp files]
[10 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/04/21 19:20:45 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/04/21 19:17:44 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\rombbec.sys
[2009/04/21 19:12:12 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\slid45d.sys
[2009/04/21 19:12:11 | 00,036,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\reader_s.exe
[2009/04/21 17:49:00 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/04/21 17:27:23 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\ifd7043.sys
[2009/04/21 17:23:00 | 00,565,248 | ---- | C] () -- C:\WINDOWS\System32\IPHACTION.dll
[2009/04/21 17:21:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2009/04/21 17:21:35 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/21 17:21:35 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/21 17:21:32 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/21 17:21:30 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/04/21 17:21:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/04/21 17:01:36 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/04/21 16:13:44 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/04/21 16:13:38 | 00,000,454 | ---- | C] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2009/04/21 16:13:38 | 00,000,388 | ---- | C] () -- C:\WINDOWS\tasks\RegCure.job
[2009/04/21 16:13:16 | 00,000,441 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2009/04/21 16:13:16 | 00,000,000 | ---D | C] -- C:\Program Files\RegCure
[2009/04/21 16:08:05 | 00,000,000 | ---D | C] -- C:\Program Files\LanqiEngine
[2009/04/21 16:07:55 | 00,735,232 | ---- | C] (???? http://www.lunchsoft.com/yzm) -- C:\WINDOWS\System32\AdvOcr.dll
[2009/04/21 16:07:48 | 00,094,208 | ---- | C] (Transym Computer Services Ltd) -- C:\WINDOWS\System32\TRSOCR(2).dll
[2009/04/21 16:07:47 | 00,001,308 | ---- | C] () -- C:\WINDOWS\System32\TRSOCR.ini
[2009/04/21 15:57:35 | 00,017,376 | ---- | C] () -- C:\WINDOWS\System32\drivers\das1b52.sys
[2009/04/15 12:41:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/04/15 12:23:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2009/04/14 23:28:55 | 00,021,504 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wsock32.dlb
[2009/04/14 23:28:44 | 00,205,560 | ---- | C] (COMODO) -- C:\WINDOWS\UNBOC.EXE
[2009/04/14 23:28:43 | 00,212,728 | ---- | C] (COMODO) -- C:\WINDOWS\CMDLIC.DLL
[2009/04/14 23:28:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\BOC427
[2009/04/14 23:28:33 | 00,007,305 | ---- | C] () -- C:\WINDOWS\BOC427.INI
[2009/04/14 23:11:53 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\bversion.dll
[2009/04/14 23:11:32 | 00,094,208 | ---- | C] (Transym Computer Services Ltd) -- C:\WINDOWS\System32\TRSOCR.dll
[2009/04/14 23:06:56 | 32,137,216 | ---- | C] (Transym Computer Services Ltd) -- C:\WINDOWS\System32\TRSOCR.dat
[2009/04/14 22:59:49 | 00,000,000 | ---D | C] -- C:\Program Files\Comodo
[2009/04/14 22:19:14 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\IpSvchostF.dll
[2009/04/14 20:53:14 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\tcpd.exe
[2009/04/14 20:53:14 | 00,020,992 | ---- | C] () -- C:\WINDOWS\System32\AUTMGR.EXE
[2009/04/14 20:53:13 | 00,926,720 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32_check.dll
[2009/04/14 20:53:12 | 00,172,032 | ---- | C] () -- C:\WINDOWS\System32\tcpcon.dll
[2009/04/14 20:53:12 | 00,010,240 | ---- | C] () -- C:\WINDOWS\System32\Packer.dll
[2009/04/14 20:53:12 | 00,000,009 | ---- | C] () -- C:\WINDOWS\System32\iphy.dll
[2009/04/14 20:53:12 | 00,000,003 | ---- | C] () -- C:\WINDOWS\System32\fhpatch.dll
[2009/04/14 20:53:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\fiplock.dll
[2009/04/08 19:48:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\3361
[2009/04/08 19:48:00 | 00,108,336 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2009/04/08 19:47:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\dhcp
[2009/04/08 19:47:33 | 00,021,704 | ---- | C] (hhhhh) -- C:\WINDOWS\System32\rr.exe
[2009/04/08 16:19:42 | 00,023,667 | ---- | C] () -- C:\WINDOWS\System32\saifx.dl_
[2009/04/08 16:19:42 | 00,008,688 | ---- | C] () -- C:\WINDOWS\System32\sorrd.sys
[2009/04/08 16:19:24 | 00,000,000 | ---- | C] () -- C:\WINDOWS\mqcd.dbt
[2009/04/08 16:18:49 | 00,161,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/08 16:18:32 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\kdoqmn.sr
[2009/04/08 16:18:31 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\fe3.wa
[2009/04/08 16:18:28 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\kei1w.an
[2009/04/08 16:18:27 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\doqkm.zt
[2009/04/08 16:18:23 | 00,077,312 | ---- | C] () -- C:\WINDOWS\System32\er3r.pxf
[2009/04/08 16:18:20 | 00,561,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/04/08 16:18:20 | 00,000,002 | ---- | C] () -- C:\-1407049938
[2009/04/08 16:18:12 | 00,249,856 | ---- | C] () -- C:\wlct.exe
[2009/04/08 16:12:53 | 00,000,392 | ---- | C] () -- C:\xcrashdump.dat
[2009/02/04 20:19:17 | 00,106,496 | R--- | C] () -- C:\WINDOWS\System32\vshp1020.dll
[2009/01/05 21:27:00 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/12/29 11:34:41 | 00,000,028 | ---- | C] () -- C:\WINDOWS\theatrix.ini
[2008/08/30 12:34:35 | 00,000,000 | ---- | C] () -- C:\WINDOWS\CePMTray.INI
[2008/08/05 20:02:17 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\hloasjoa.dll
[2008/08/01 19:36:00 | 00,114,176 | ---- | C] () -- C:\WINDOWS\System32\dztbmi.dll
[2008/08/01 19:35:57 | 00,114,176 | ---- | C] () -- C:\WINDOWS\System32\vrmfcqqw.dll
[2008/08/01 19:35:43 | 00,091,648 | ---- | C] () -- C:\WINDOWS\System32\epoganht.dll
[2008/07/28 18:42:09 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\tuuqpd.dll
[2008/07/28 18:42:07 | 00,105,472 | ---- | C] () -- C:\WINDOWS\System32\nlrcynrc.dll
[2008/07/28 18:39:18 | 00,091,648 | ---- | C] () -- C:\WINDOWS\System32\lncliaaj.dll
[2008/07/23 20:19:18 | 00,105,312 | ---- | C] () -- C:\WINDOWS\System32\zthhfz.dll
[2008/07/23 20:19:15 | 00,105,312 | ---- | C] () -- C:\WINDOWS\System32\ncygxsuo.dll
[2008/07/20 22:53:12 | 00,000,289 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/02/08 22:13:21 | 00,003,120 | ---- | C] () -- C:\WINDOWS\System32\SignTools.ini
[2007/02/08 22:08:29 | 00,219,648 | ---- | C] () -- C:\WINDOWS\System32\CorelScriptApi.dll
[2007/02/08 22:08:29 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\signtools.dll
[2007/02/08 21:57:56 | 00,108,032 | ---- | C] () -- C:\WINDOWS\System32\sh33w32.dll
[2007/02/08 20:58:06 | 00,007,440 | R--- | C] () -- C:\WINDOWS\System32\ppmon.dll
[2006/12/09 19:31:18 | 00,000,000 | ---- | C] () -- C:\WINDOWS\TPTray.INI
[2006/11/27 01:30:05 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/11/27 01:28:45 | 00,000,022 | ---- | C] () -- C:\WINDOWS\exchng.ini
[2006/11/27 01:28:44 | 00,000,348 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2002/08/23 18:21:42 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2002/08/23 14:52:56 | 00,000,000 | ---- | C] () -- C:\WINDOWS\CeEKey.INI
[2002/08/21 13:02:48 | 00,000,040 | ---- | C] () -- C:\WINDOWS\swupdate.ini
[2002/08/13 18:12:18 | 00,000,470 | ---- | C] () -- C:\WINDOWS\System32\Px.ini
[2002/08/13 17:25:51 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2002/08/13 16:39:09 | 00,121,905 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2002/08/13 16:39:09 | 00,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2002/08/13 16:39:09 | 00,008,831 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2002/08/13 16:39:09 | 00,006,793 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2002/08/12 19:53:52 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2002/08/12 19:47:31 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2002/08/12 19:26:20 | 00,000,285 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2002/08/12 19:25:41 | 00,000,859 | ---- | C] () -- C:\WINDOWS\win.ini
[2002/08/12 19:25:30 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/04/23 03:05:00 | 00,406,775 | ---- | C] () -- C:\WINDOWS\System32\ati3duag.dll
[1996/11/21 04:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\ODBCSTF.DLL
[1996/11/21 04:00:00 | 00,022,016 | ---- | C] () -- C:\WINDOWS\System32\DOCOBJ.DLL
[1996/11/21 04:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\HLINKPRX.DLL

========== Files - Modified Within 30 Days ==========

[36 C:\*.tmp files]
[10 C:\WINDOWS\System32\*.tmp files]
[2 C:\WINDOWS\*.tmp files]
[2009/04/21 19:17:44 | 00,036,352 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\reader_s.exe
[2009/04/21 19:17:44 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\rombbec.sys
[2009/04/21 19:16:55 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/04/21 19:16:12 | 04,240,656 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2009/04/21 19:12:12 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\slid45d.sys
[2009/04/21 17:51:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/04/21 17:49:40 | 00,000,454 | ---- | M] () -- C:\WINDOWS\tasks\RegCure Program Check.job
[2009/04/21 17:48:34 | 00,007,305 | ---- | M] () -- C:\WINDOWS\BOC427.INI
[2009/04/21 17:27:23 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\ifd7043.sys
[2009/04/21 17:23:12 | 00,565,248 | ---- | M] () -- C:\WINDOWS\System32\IPHACTION.dll
[2009/04/21 17:21:35 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/04/21 17:10:44 | 00,000,388 | ---- | M] () -- C:\WINDOWS\tasks\RegCure.job
[2009/04/21 16:13:16 | 00,000,441 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegCure.lnk
[2009/04/21 16:08:09 | 00,735,232 | ---- | M] (???? http://www.lunchsoft.com/yzm) -- C:\WINDOWS\System32\AdvOcr.dll
[2009/04/21 16:08:09 | 00,000,003 | ---- | M] () -- C:\WINDOWS\System32\bversion.dll
[2009/04/21 16:07:54 | 00,094,208 | ---- | M] (Transym Computer Services Ltd) -- C:\WINDOWS\System32\TRSOCR(2).dll
[2009/04/21 16:07:47 | 00,001,308 | ---- | M] () -- C:\WINDOWS\System32\TRSOCR.ini
[2009/04/21 15:57:35 | 00,017,376 | ---- | M] () -- C:\WINDOWS\System32\drivers\das1b52.sys
[2009/04/21 15:56:46 | 00,001,136 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/04/15 12:07:09 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\natavufu
[2009/04/15 12:00:38 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009/04/15 01:24:42 | 00,000,289 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/04/14 23:11:32 | 00,094,208 | ---- | M] (Transym Computer Services Ltd) -- C:\WINDOWS\System32\TRSOCR.dll
[2009/04/14 23:10:30 | 32,137,216 | ---- | M] (Transym Computer Services Ltd) -- C:\WINDOWS\System32\TRSOCR.dat
[2009/04/14 22:22:59 | 00,000,392 | ---- | M] () -- C:\xcrashdump.dat
[2009/04/14 22:19:14 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\IpSvchostF.dll
[2009/04/14 20:53:14 | 00,061,440 | ---- | M] () -- C:\WINDOWS\System32\tcpd.exe
[2009/04/14 20:53:14 | 00,020,992 | ---- | M] () -- C:\WINDOWS\System32\AUTMGR.EXE
[2009/04/14 20:53:13 | 00,926,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32_check.dll
[2009/04/14 20:53:13 | 00,926,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\kernel32.dll
[2009/04/14 20:53:12 | 00,172,032 | ---- | M] () -- C:\WINDOWS\System32\tcpcon.dll
[2009/04/14 20:53:12 | 00,010,240 | ---- | M] () -- C:\WINDOWS\System32\Packer.dll
[2009/04/14 20:53:12 | 00,000,009 | ---- | M] () -- C:\WINDOWS\System32\iphy.dll
[2009/04/14 20:53:12 | 00,000,003 | ---- | M] () -- C:\WINDOWS\System32\fhpatch.dll
[2009/04/14 20:53:12 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\fiplock.dll
[2009/04/08 19:48:01 | 00,108,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MSWINSCK.OCX
[2009/04/08 16:19:42 | 00,023,667 | ---- | M] () -- C:\WINDOWS\System32\saifx.dl_
[2009/04/08 16:19:42 | 00,008,688 | ---- | M] () -- C:\WINDOWS\System32\sorrd.sys
[2009/04/08 16:19:24 | 00,000,000 | ---- | M] () -- C:\WINDOWS\mqcd.dbt
[2009/04/08 16:18:49 | 00,161,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\ndis.sys
[2009/04/08 16:18:49 | 00,161,536 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndis.sys
[2009/04/08 16:18:33 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\kdoqmn.sr
[2009/04/08 16:18:31 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\fe3.wa
[2009/04/08 16:18:29 | 00,032,768 | ---- | M] () -- C:\WINDOWS\System32\kei1w.an
[2009/04/08 16:18:27 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\doqkm.zt
[2009/04/08 16:18:23 | 00,077,312 | ---- | M] () -- C:\WINDOWS\System32\er3r.pxf
[2009/04/08 16:18:20 | 00,000,002 | ---- | M] () -- C:\-1407049938
[2009/04/08 16:18:18 | 00,561,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\user32.DLL
[2009/04/08 16:18:18 | 00,561,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\user32.dll
[2009/04/08 16:18:13 | 00,249,856 | ---- | M] () -- C:\wlct.exe
[2009/04/08 16:18:03 | 00,061,440 | -HS- | M] () -- C:\WINDOWS\System32\gavapufa.exe
[2009/04/07 20:59:06 | 00,021,704 | ---- | M] (hhhhh) -- C:\WINDOWS\System32\rr.exe
[2009/04/07 14:01:02 | 00,118,784 | -H-- | M] () -- C:\ffastun.ffo
[2009/04/07 14:01:02 | 00,004,717 | -H-- | M] () -- C:\ffastun.ffa
[2009/04/07 14:01:01 | 31,472,8448 | -H-- | M] () -- C:\ffastun0.ffx
[2009/04/07 14:01:01 | 00,466,944 | -H-- | M] () -- C:\ffastun.ffl
[2009/04/06 15:32:54 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/04/06 15:32:46 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/04/06 12:02:26 | 00,358,194 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/06 12:02:26 | 00,313,514 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/04/06 12:02:26 | 00,041,066 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/30 14:12:11 | 00,802,816 | ---- | M] () -- C:\WINDOWS\outlook.pst
[2009/03/30 14:11:55 | 00,000,859 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/03/23 11:36:05 | 00,008,192 | ---- | M] () -- C:\WINDOWS\Toshiba.pcb

========== LOP Check ==========

[2009/04/21 17:48:00 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Administrator\Application Data
[2008/07/23 20:18:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Adobe
[2002/08/12 19:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Identities
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\InterTrust
[2008/07/23 20:18:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Macromedia
[2009/04/21 17:21:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
[2008/07/20 23:43:48 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Administrator\Application Data\Microsoft
[2002/08/13 17:48:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Symantec
[2009/04/21 17:21:30 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/01/05 21:23:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Abstract
[2009/01/05 21:20:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2009/04/14 23:28:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BOC427
[2009/01/05 21:23:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EnterNHelp
[2009/04/21 17:21:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2007/12/30 15:40:22 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2008/02/13 20:56:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2009/01/05 21:24:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nikon
[2002/08/12 20:00:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/04/21 16:08:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2006/11/27 01:31:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2009/01/05 21:23:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ultima_T15
[2009/04/15 12:41:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2002/08/13 17:48:15 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Default User\Application Data
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Adobe
[2002/08/12 19:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Identities
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\InterTrust
[2002/08/12 20:01:29 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Default User\Application Data\Microsoft
[2002/08/13 17:48:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Symantec
[2009/04/21 16:08:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data
[2009/04/21 16:08:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2002/08/12 19:52:52 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2002/08/12 19:58:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data
[2002/08/12 19:52:52 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2002/08/13 17:48:15 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Adobe
[2002/08/12 19:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Identities
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\InterTrust
[2002/08/12 20:01:29 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Owner\Application Data\Microsoft
[2002/08/13 17:48:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Symantec
[2009/04/14 22:59:51 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Surgeon\Application Data
[2008/07/23 20:30:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Surgeon\Application Data\Adobe
[2009/04/14 22:59:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Surgeon\Application Data\Comodo
[2002/08/12 19:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Surgeon\Application Data\Identities
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Surgeon\Application Data\InterTrust
[2008/07/23 20:32:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Surgeon\Application Data\Macromedia
[2008/07/23 20:24:58 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Surgeon\Application Data\Microsoft
[2002/08/13 17:48:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Surgeon\Application Data\Symantec
[2009/01/06 16:18:12 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Toshiba\Application Data
[2008/03/09 14:08:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Adobe
[2007/02/08 22:03:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Corel
[2006/11/29 21:59:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Help
[2002/08/12 19:53:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Identities
[2002/08/13 17:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\InterTrust
[2007/10/28 20:32:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\InterVideo
[2008/03/09 14:08:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Macromedia
[2009/03/05 17:54:59 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Toshiba\Application Data\Microsoft
[2008/11/04 21:45:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Move Networks
[2008/02/13 20:56:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\MSN6
[2009/01/06 16:18:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Nikon
[2002/08/13 17:48:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Symantec
[2008/06/16 10:19:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Toshiba\Application Data\Viewpoint
[2001/08/18 08:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/04/21 17:49:40 | 00,000,454 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure Program Check.job
[2009/04/21 17:10:44 | 00,000,388 | ---- | M] () -- C:\WINDOWS\Tasks\RegCure.job
[2009/04/21 17:51:58 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2002/08/13 17:48:41 | 00,000,412 | ---- | M] () -- C:\WINDOWS\Tasks\Symantec NetDetect.job

========== Purity Check ==========

< End of report >

one of my novice friend said it'd be quicker to clean reinstall windows... i don't know where the my dad put that cd.

btw... just ran Malawarebytes again... vudo isn't showing up. just trojan.agent and malaware.trace
  • 0

Advertisements

#2
Rorschach112
Posted 21 April 2009 - 06:40 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • C:\WINDOWS\System32\svchost.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

  • 0

#3
don'tclickthat
Posted 21 April 2009 - 07:27 PM

don'tclickthat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

hello

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:

    • C:\WINDOWS\System32\svchost.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.


Hi. virscan.org didn't want to work in safemode so i saved it to a flashdrive and scanned it from my computer... dumb move i know.

here you go:
File Name : svchost.exe
File Size : 32256 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : b18d9dac8fb4dec0e5f05ff8dcac0f83
SHA1 : 98ab0e9ae70f883c22edabd42e34b61ade9623a9

Scanner results
Scanner results : 42% Scanner(16/38) found malware!
Time : 2009/04/21 21:21:45 (EDT)
Scanner ↓ Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.0.0.32 20090422050124 2009-04-22
-
3.044
AhnLab V3 2009.04.22.00 2009.04.22 2009-04-22
Win32/Virut.E
1.545
AntiVir 7.9.0.148 7.1.3.86 2009-04-21
W32/Virut.Gen
2.129
Antiy 2.0.18 20090421.2315191 2009-04-21
-
0.121
Arcavir 2009 200904211745 2009-04-21
-
0.277
Authentium 5.1.1 200904211722 2009-04-21
-
1.554
AVAST! 3.0.1 090421-0 2009-04-21
-
0.927
AVG 7.5.52.442 270.12.2/2072 2009-04-21
-
2.032
BitDefender 7.81008.2849584 7.24929 2009-04-22
Win32.Virtob.Gen.12
2.600
CA (VET) 9.0.0.143 31.6.6468 2009-04-22
Win32/Virut.17408 virus.
29.184
ClamAV 0.95 9267 2009-04-21
-
0.012
Comodo 3.8 1124 2009-04-21
-
1.687
CP Secure 1.1.0.715 2009.04.22 2009-04-22
-
8.400
Dr.Web 4.44.0.9170 2009.04.22 2009-04-22
-
4.608
F-Prot 4.4.4.56 20090421 2009-04-21
-
1.576
F-Secure 5.51.6100 2009.04.22.01 2009-04-22
Virus.Win32.Virut.ce [AVP]
0.109
Fortinet 2.81-3.117 10.307 2009-04-21
-
0.601
GData 19.4786/19.306 20090422 2009-04-22
Virus.Win32.Virut.ce [Engine:A]
7.478
Ikarus T3.1.01.49 2009.04.21.72613 2009-04-21
-
2.789
JiangMin 11.0.706 2009.04.20 2009-04-20
-
5.414
Kaspersky 5.5.10 2009.04.22 2009-04-22
Virus.Win32.Virut.ce
0.095
KingSoft 2009.2.5.15 2009.4.21.21 2009-04-21
Win32.Virut.mk.53248
4.140
McAfee 5.3.00 5591 2009-04-21
W32/Virut.n.gen
3.738
Microsoft 1.4602 2009.04.22 2009-04-22
Virus:Win32/Virut.BM
10.397
mks_vir 2.01 2009.04.21 2009-04-21
-
2.852
Norman 6.00.06 6.00.00 2009-04-21
-
10.010
nProtect 20090420.03 3484263 2009-04-20
-
8.575
Panda 9.05.01 2009.04.21 2009-04-21
-
12.414
Quick Heal 10.00 2009.04.21 2009-04-21
W32.Virut.G
2.211
Rising 20.0 21.26.14.00 2009-04-21
-
2.852
Sophos 2.85.0 4.40 2009-04-22
W32/Scribble-B
2.445
Sunbelt 5105 5105 2009-04-21
-
0.728
Symantec 1.3.0.24 20090421.006 2009-04-21
W32.Virut.CF
0.112
The Hacker 6.3.4.0 v00312 2009-04-21
-
1.165
Trend Micro 8.700-1004 5.980.01 2009-04-21
PE_VIRUX.F-2
0.031
VBA32 3.12.10.2 20090421.1001 2009-04-21
Virus.Win32.Virut.1 (suspicious)
2.690
ViRobot 20090421 2009.04.21 2009-04-21
-
1.473
VirusBuster 4.5.11.10 10.105.2/1261525 2009-04-21
Win32.Virut.Y.Gen
1.703
  • 0

#4
Rorschach112
Posted 22 April 2009 - 04:31 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
hello

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
  • Backup all your documents and important items only.
  • DO NOT backup any executable files (,exe .scr .html or .htm)
  • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
  • Reformat and Reinstall as outlined HERE


I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

  • 0

#5
Rorschach112
Posted 26 April 2009 - 02:06 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP