[jolene singh]

hi
i have a win32/rootkit.agent.ODGtrojan being detected in my operating memory. it gets detected by NOD32 ver 4 during startup scan. my computer has started hanging after every 10 minutes or so. i went through the previous posts on the similar topic and realise that personalised direction for my computer may be required, hence have not done anything besides those mentioned in the malware removal guide.

the following did not work from the directions given in the guide:
1. System restore got installed but wouldnt run. an error as "application failed to initialise properly (0xC0000135). click OK to terminate" popped up.
2. malbytes malware got installed but wouldnt run.
3. no rooter.txt was created in the C drive after rooter.exe was executed. the command prompt kind of window flashed on the screen, and a folder called "rooter$" with some files. but no text document.

please help me in removing this as our college's exams will start within a week and i am the net server of my hostel floor. immediate solution is very much in need.

i ran the OTLI scan and am posting the files generated. hope they are helpful.

OTListIt.txt
OTListIt logfile created on: 5/11/2009 2:42:09 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = E:\geeks to go
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

223.48 Mb Total Physical Memory | 39.51 Mb Available Physical Memory | 17.68% Memory free
546.65 Mb Paging File | 270.53 Mb Available in Paging File | 49.49% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12.00 Gb Total Space | 3.13 Gb Free Space | 26.09% Space Free | Partition Type: NTFS
Drive D: | 13.00 Gb Total Space | 4.65 Gb Free Space | 35.77% Space Free | Partition Type: FAT32
Drive E: | 12.29 Gb Total Space | 6.92 Gb Free Space | 56.29% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JS-FA5AC93B58
Current User Name: Jolene S
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
PRC - E:\cc proxy 6.3.7\CCProxy.exe ()
PRC - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET)
PRC - C:\Program Files\DNA\btdna.exe (BitTorrent, Inc.)
PRC - C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
PRC - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\MATLABR11\webserver\bin\matlabserver.exe ()
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
PRC - C:\WINDOWS\system32\wscntfy.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
PRC - E:\geeks to go\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (EhttpSrv [On_Demand | Stopped]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (ESET)
SRV - (ekrn [Auto | Running]) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (ESET)
SRV - (gupdate1c9cd5e3caea74e [Auto | Stopped]) -- C:\Program Files\Google\Update\GoogleUpdate.exe (Google Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (matlabserver [Auto | Running]) -- C:\MATLABR11\webserver\bin\matlabserver.exe ()
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (SoundMAX Agent Service (default) [Auto | Running]) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)

========== Driver Services (SafeList) ==========

DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (aslm75 [Auto | Running]) -- C:\WINDOWS\system32\drivers\aslm75.sys ()
DRV - (eamon [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\eamon.sys (ESET)
DRV - (ehdrv [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ehdrv.sys (ESET)
DRV - (epfwtdir [System | Running]) -- C:\WINDOWS\System32\DRIVERS\epfwtdir.sys (ESET)
DRV - (FETND5BV [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\fetnd5bv.sys (VIA Technologies, Inc. )
DRV - (FETNDIS [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\fetnd5.sys (VIA Technologies, Inc. )
DRV - (FETNDISB [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\fetnd5b.sys (VIA Technologies, Inc. )
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (ms_mpu401 [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (NTSIM [On_Demand | Stopped]) -- C:\WINDOWS\system32\ntsim.sys (VIA Networking Technologies, Inc. )
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (slnt [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\slnt.sys (Silan Micro-Electronics Inc.)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (SONYPVU1 [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS (Sony Corporation)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (viagfx [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\vtmini.sys (Copyright © VIA/S3 Graphics, Inc.)
DRV - (WinDriver6 [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\windrvr6.sys (Jungo)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://10.239.89.15/home?CPURL=http%3A%2F%...&t=ftapv0xy
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/05/01 09:11:54 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{000a9d1c-beef-4f90-9363-039d445309b8}: C:\PROGRAM FILES\GOOGLE\GOOGLE GEARS\FIREFOX\ [2009/05/05 14:19:19 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\PROGRAM FILES\ESET\ESET NOD32 ANTIVIRUS\MOZILLA THUNDERBIRD


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Gears Helper) - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll (Google Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CCProxy] E:\cc proxy 6.3.7\CCProxy.exe ()
O4 - HKLM..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice (ESET)
O4 - HKLM..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart (Google)
O4 - HKLM..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" (Microsoft Corporation)
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [VTTimer] VTTimer.exe File not found
O4 - HKCU..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\Jolene S\Start Menu\Programs\Startup\MyLanViewer.lnk = C:\Program Files\MyLanViewer\MyLanViewer.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.16.0\gears.dll (Google Inc.)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://sdlc-esd.sun.com/ESD7/JSCDL/jdk/6u1...=javadl.sun.com (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: Microsoft XML Parser for Java file:///C:/WINDOWS/Java/classes/xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{3AAC7FFE-A4DC-4F87-B37A-0ECC49DF839B}\\NameServer = 85.255.112.234,85.255.112.185
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Interfaces\{A0B7B810-A36D-414C-ADD2-818B5136ECA1}\\NameServer = 85.255.112.234,85.255.112.185
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - File not found
O20 - HKLM Winlogon: UIHost - (logonui.exe) - File not found
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - File not found
O29 - HKLM SecurityProviders - (schannel.dll) - File not found
O29 - HKLM SecurityProviders - (digest.dll) - File not found
O29 - HKLM SecurityProviders - (msnsspc.dll) - File not found
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/08 19:23:37 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/05/11 14:36:30 | 00,000,368 | RHS- | M] () - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2009/05/11 14:36:32 | 00,000,296 | RHS- | M] () - D:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2009/05/11 14:36:30 | 00,000,400 | RHS- | M] () - E:\autorun.inf -- [ NTFS ]
O33 - MountPoints2\{0b25fc39-2525-11de-b7db-000ea68fc036}\Shell\AutoRun\command - "" = L:\fbak.exe -- File not found
O33 - MountPoints2\{0b25fc39-2525-11de-b7db-000ea68fc036}\Shell\open\Command - "" = L:\fbak.exe -- File not found
O33 - MountPoints2\{7900f44a-257e-11de-b7dc-000ea68fc036}\Shell\AutoRun\command - "" = G:\1ogf.exe -- File not found
O33 - MountPoints2\{7900f44a-257e-11de-b7dc-000ea68fc036}\Shell\open\Command - "" = G:\1ogf.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\*.tmp files]
[2009/05/11 14:26:27 | 00,000,000 | ---D | C] -- C:\Rooter$
[2009/05/11 14:22:36 | 00,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2009/05/11 10:47:14 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/11 10:47:14 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/11 10:47:11 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/11 10:47:09 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/11 08:22:08 | 00,000,368 | RHS- | C] () -- C:\autorun.inf
[2009/05/11 08:21:19 | 00,000,010 | ---- | C] () -- C:\WINDOWS\System32\kr_done1
[2009/05/10 22:19:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\LanViewer
[2009/05/06 14:44:37 | 00,000,000 | -H-- | C] () -- C:\WINDOWS\msds.dat
[2009/05/06 14:42:07 | 00,006,230 | ---- | C] () -- C:\WINDOWS\RIDE.ini
[2009/05/06 14:42:06 | 00,135,680 | ---- | C] (Sampson Multimedia ®) -- C:\WINDOWS\System32\crypto32.dll
[2009/05/06 14:42:06 | 00,036,352 | ---- | C] () -- C:\WINDOWS\System32\SX32W.DLL
[2009/05/06 14:42:06 | 00,000,000 | ---D | C] -- C:\RIDE
[2009/05/05 14:21:12 | 00,001,727 | ---- | C] () -- C:\Documents and Settings\Jolene S\Desktop\Gmail.lnk
[2009/05/05 14:18:19 | 00,000,882 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/05/05 07:28:11 | 00,000,829 | ---- | C] () -- C:\Documents and Settings\Jolene S\Desktop\Rhymesaurus FREE Edition.lnk
[2009/05/05 07:28:07 | 00,000,000 | ---D | C] -- C:\Program Files\Rhymesaurus FREE Edition
[2009/05/05 07:26:20 | 00,000,000 | ---D | C] -- C:\Program Files\RhymeIt
[2009/05/05 07:08:32 | 00,000,000 | ---D | C] -- C:\Program Files\LAN Communicator
[2009/05/04 16:47:45 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/05/01 09:13:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\Sun
[2009/05/01 09:11:42 | 00,000,000 | ---D | C] -- C:\Program Files\Java
[2009/05/01 09:01:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\Sun
[2009/04/30 19:11:30 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\jo...koi movie share kar yaar
[2009/04/29 13:07:45 | 00,000,720 | ---- | C] () -- C:\Documents and Settings\Jolene S\Start Menu\Programs\Startup\MyLanViewer.lnk
[2009/04/28 07:30:08 | 00,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documents\khq
[2009/04/27 11:24:49 | 00,000,000 | RHS- | C] () -- C:\Documents and Settings\All Users\Documents\kht
[2009/04/23 20:25:15 | 00,146,944 | ---- | C] () -- C:\Documents and Settings\Jolene S\My Documents\etctesyllabus.doc
[2009/04/21 23:02:03 | 00,027,136 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\This is to certify that.doc
[2009/04/17 13:58:09 | 00,139,536 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaee.dll
[2009/04/16 18:54:44 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2009/04/16 16:27:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\Help
[2009/04/15 21:13:25 | 00,000,706 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2009/04/15 21:13:24 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\BitTorrent
[2009/04/15 21:12:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\DNA
[2009/04/15 21:12:52 | 00,000,000 | ---D | C] -- C:\Program Files\BitTorrent
[2009/04/15 12:06:25 | 00,268,648 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll
[2009/04/15 12:06:25 | 00,208,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\muweb.dll
[2009/04/15 12:06:25 | 00,027,496 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mucltui.dll.mui
[2009/04/15 03:35:21 | 00,046,352 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\setdebug.exe
[2009/04/15 03:35:20 | 00,171,280 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jit.dll
[2009/04/15 03:35:19 | 00,007,315 | ---- | C] () -- C:\WINDOWS\System32\javasup.vxd
[2009/04/15 03:35:17 | 00,006,550 | ---- | C] () -- C:\WINDOWS\jautoexp.dat
[2009/04/15 03:35:16 | 00,313,856 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dx3j.dll
[2009/04/15 03:35:00 | 00,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedon.reg
[2009/04/15 03:34:58 | 00,000,113 | ---- | C] () -- C:\WINDOWS\System32\zonedoff.reg
[2009/04/15 03:34:56 | 00,171,792 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wjview.exe
[2009/04/15 03:34:55 | 00,286,992 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\vmhelper.dll
[2009/04/15 03:34:53 | 00,021,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msjdbc10.dll
[2009/04/15 03:34:52 | 00,947,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msjava.dll
[2009/04/15 03:34:51 | 00,154,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msawt.dll
[2009/04/15 03:34:50 | 00,172,304 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jview.exe
[2009/04/15 03:34:49 | 00,015,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\jdbgmgr.exe
[2009/04/15 03:34:47 | 00,404,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javart.dll
[2009/04/15 03:34:47 | 00,021,444 | ---- | C] () -- C:\WINDOWS\System32\javasec.hlp
[2009/04/15 03:34:45 | 00,063,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javaprxy.dll
[2009/04/15 03:34:44 | 00,011,403 | ---- | C] () -- C:\WINDOWS\System32\javaperm.hlp
[2009/04/15 03:34:43 | 00,187,152 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\javacypt.dll
[2009/04/15 03:34:42 | 00,049,424 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clspack.exe
[2009/04/15 03:34:03 | 00,000,224 | ---- | C] () -- C:\WINDOWS\MATLAB.INI
[2009/04/15 03:33:49 | 00,645,120 | ---- | C] () -- C:\WINDOWS\System32\config.gms
[2009/04/15 03:28:46 | 00,148,992 | ---- | C] () -- C:\WINDOWS\System32\mllink5.dll
[2009/04/15 03:28:46 | 00,000,020 | ---- | C] () -- C:\WINDOWS\exlink.ini
[2009/04/15 03:26:02 | 00,000,587 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MATLAB 5.3.lnk
[2009/04/15 03:25:21 | 00,000,000 | ---D | C] -- C:\MATLABR11
[2009/04/15 03:22:22 | 00,000,000 | ---D | C] -- C:\Program Files\Multisim7
[2009/04/15 03:17:20 | 00,192,784 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Tabctl32.ocx
[2009/04/15 03:17:20 | 00,129,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Comdlg32.ocx
[2009/04/15 03:17:19 | 01,045,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Msjet35.dll
[2009/04/15 03:17:19 | 00,407,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Msrepl35.dll
[2009/04/15 03:17:19 | 00,368,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Vbar332.dll
[2009/04/15 03:17:19 | 00,252,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Msrd2x35.dll
[2009/04/15 03:17:19 | 00,123,664 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Msjint35.dll
[2009/04/15 03:17:19 | 00,089,360 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Vb5db.dll
[2009/04/15 03:17:19 | 00,024,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Msjter35.dll
[2009/04/15 03:17:18 | 00,000,000 | ---D | C] -- C:\Program Files\Your Company
[2009/04/15 03:16:58 | 00,000,000 | ---D | C] -- C:\TEMP
[2009/04/14 10:52:13 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\vlc
[2009/04/14 10:50:12 | 00,000,719 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2009/04/13 00:58:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\Media Player Classic
[2009/04/13 00:54:27 | 00,000,931 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Media Player Classic.lnk
[2009/04/13 00:54:09 | 00,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2009/04/13 00:54:06 | 00,499,712 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcp71.dll
[2009/04/13 00:54:06 | 00,348,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\msvcr71.dll
[2009/04/13 00:54:04 | 00,000,000 | ---D | C] -- C:\Program Files\Real Alternative
[2009/04/13 00:54:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\Real
[2009/04/13 00:54:04 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Real
[2009/04/13 00:00:51 | 00,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2009/04/12 22:44:57 | 00,000,192 | ---- | C] () -- C:\WINDOWS\System32\EDIT.INI
[2009/04/12 17:08:26 | 00,000,000 | ---D | C] -- C:\Program Files\MyLanViewer
[2009/04/12 17:08:06 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\Application Data\WinRAR
[2009/04/12 11:49:36 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Jolene S\My Documents\Downloads
[2009/04/12 11:42:11 | 00,000,000 | ---D | C] -- C:\Program Files\DNA
[2009/04/08 20:03:45 | 00,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2009/04/08 20:01:32 | 00,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2009/04/08 20:00:06 | 00,002,852 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/04/08 20:00:04 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2004/09/17 17:37:42 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2001/08/23 17:30:00 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini
[2001/08/23 17:30:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/05/11 14:39:41 | 00,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A92E7D5F-342A-4C85-8E0D-43FA25949483}.job
[2009/05/11 14:39:40 | 00,000,224 | ---- | M] () -- C:\WINDOWS\MATLAB.INI
[2009/05/11 14:38:29 | 00,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
[2009/05/11 14:38:25 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/11 14:38:24 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Jolene S\Local Settings\desktop.ini
[2009/05/11 14:38:23 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/11 14:36:30 | 00,000,368 | RHS- | M] () -- C:\autorun.inf
[2009/05/11 10:47:14 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/11 08:22:04 | 00,000,010 | ---- | M] () -- C:\WINDOWS\System32\kr_done1
[2009/05/06 15:03:23 | 00,006,230 | ---- | M] () -- C:\WINDOWS\RIDE.ini
[2009/05/06 15:00:02 | 00,036,352 | ---- | M] () -- C:\WINDOWS\System32\SX32W.DLL
[2009/05/06 15:00:01 | 00,135,680 | ---- | M] (Sampson Multimedia ®) -- C:\WINDOWS\System32\crypto32.dll
[2009/05/06 14:44:37 | 00,000,000 | -H-- | M] () -- C:\WINDOWS\msds.dat
[2009/05/05 14:21:12 | 00,001,727 | ---- | M] () -- C:\Documents and Settings\Jolene S\Desktop\Gmail.lnk
[2009/05/05 07:28:11 | 00,000,829 | ---- | M] () -- C:\Documents and Settings\Jolene S\Desktop\Rhymesaurus FREE Edition.lnk
[2009/05/02 20:02:59 | 00,314,508 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/02 20:02:59 | 00,040,836 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/02 20:02:58 | 00,356,738 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/04/29 13:07:45 | 00,000,720 | ---- | M] () -- C:\Documents and Settings\Jolene S\Start Menu\Programs\Startup\MyLanViewer.lnk
[2009/04/28 07:30:08 | 00,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documents\khq
[2009/04/27 11:24:49 | 00,000,000 | RHS- | M] () -- C:\Documents and Settings\All Users\Documents\kht
[2009/04/23 20:29:06 | 00,146,944 | ---- | M] () -- C:\Documents and Settings\Jolene S\My Documents\etctesyllabus.doc
[2009/04/23 15:41:21 | 00,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/04/21 23:02:04 | 00,027,136 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\This is to certify that.doc
[2009/04/16 12:55:32 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/04/15 21:13:25 | 00,000,706 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2009/04/15 03:28:46 | 00,000,020 | ---- | M] () -- C:\WINDOWS\exlink.ini
[2009/04/15 03:26:02 | 00,000,587 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MATLAB 5.3.lnk
[2009/04/14 10:50:12 | 00,000,719 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\VLC media player.lnk
[2009/04/13 00:54:27 | 00,000,931 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Media Player Classic.lnk
[2009/04/12 22:44:57 | 00,000,192 | ---- | M] () -- C:\WINDOWS\System32\EDIT.INI
[2009/04/11 15:07:21 | 00,263,024 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
< End of report >


extra.txt

OTListIt Extras logfile created on: 5/11/2009 2:42:09 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = E:\geeks to go
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

223.48 Mb Total Physical Memory | 39.51 Mb Available Physical Memory | 17.68% Memory free
546.65 Mb Paging File | 270.53 Mb Available in Paging File | 49.49% Paging File free
Paging file location(s): C:\pagefile.sys 336 672 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 12.00 Gb Total Space | 3.13 Gb Free Space | 26.09% Space Free | Partition Type: NTFS
Drive D: | 13.00 Gb Total Space | 4.65 Gb Free Space | 35.77% Space Free | Partition Type: FAT32
Drive E: | 12.29 Gb Total Space | 6.92 Gb Free Space | 56.29% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: JS-FA5AC93B58
Current User Name: Jolene S
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.reg [@ = regfile] -- regedit.exe "%1"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
E:\cc proxy 6.3.7\CCProxy.exe:*:Enabled:CCProxy Microsoft ()
C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk (Google)
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook (Microsoft Corporation)
C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove (Microsoft Corporation)
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote (Microsoft Corporation)
C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent (BitTorrent, Inc.)
C:\Program Files\DNA\btdna.exe:*:Enabled:DNA (BitTorrent, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{65F51F82-2FD7-49CD-A854-A3E0ED42BBBB}" = sc92031 NIC driver
"{87FDB1C6-785F-3482-B30E-FF2F2A021F65}" = Google Gears
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{3EC77D26-799B-4CD8-914F-C1565E796173}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{430971B1-C31E-45DA-81E0-72C095BAB72C}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{F7A31780-33C4-4E39-951A-5EC9B91D7BF1}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{BEE75E01-DD3F-4D5F-B96C-609E6538D419}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{FAD8A83E-9BAC-4179-9268-A35948034D85}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}" = 2007 Microsoft Office Suite Service Pack 1 (SP1)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{CDF97135-7FD2-4289-96B8-DD4505267ACD}" = ESET NOD32 Antivirus
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"DAO 3.5" = DAO 3.5
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ERUNT_is1" = ERUNT 1.1j
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MatlabDeinstKey" = MATLAB 4-15-2009
"Multisim7" = Multisim 7
"RealAlt_is1" = Real Alternative 1.9.0
"RhymeIt_is1" = RhymeIt 1.0
"Rhymesaurus FREE Edition_is1" = Rhymesaurus FREE Edition (2.0.0.0)
"Ride" = RKit 6.1
"S3" = KM400/KN400 Display Driver and Utilities
"VLC media player" = VLC media player 0.9.9
"VN_VUIns_Rhine_VIA" = VIA Rhine-Family Fast Ethernet Adapter
"VTDisplay" = S3 S3Display
"VTGamma2" = S3 S3Gamma2
"VTInfo2" = S3 S3Info2
"VTOverlay" = S3 S3Overlay
"WinRAR archiver" = WinRAR archiver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent" = BitTorrent
"BitTorrent DNA" = DNA

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/23/2009 8:51:47 AM | Computer Name = JS-FA5AC93B58 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 4/23/2009 9:43:05 AM | Computer Name = JS-FA5AC93B58 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 4/23/2009 10:55:29 PM | Computer Name = JS-FA5AC93B58 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 4/24/2009 3:08:25 AM | Computer Name = JS-FA5AC93B58 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 4/24/2009 5:06:32 AM | Computer Name = JS-FA5AC93B58 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

Error - 4/24/2009 8:29:31 AM | Computer Name = JS-FA5AC93B58 | Source = SecurityCenter | ID = 1802
Description = The Windows Security Center Service was unable to establish event
queries with WMI to monitor third party AntiVirus and Firewall.

[ System Events ]
Error - 5/7/2009 5:27:51 PM | Computer Name = JS-FA5AC93B58 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 123.236.175.101
on the Network Card with network address 000EA68FC036.

Error - 5/8/2009 2:25:32 PM | Computer Name = JS-FA5AC93B58 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 123.238.133.207
on the Network Card with network address 000EA68FC036.

Error - 5/10/2009 10:26:42 PM | Computer Name = JS-FA5AC93B58 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 123.238.133.184
on the Network Card with network address 000EA68FC036.

Error - 5/11/2009 1:12:45 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2009 1:16:03 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2009 3:43:46 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2009 4:38:31 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2009 4:42:39 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2009 4:59:49 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 5/11/2009 5:08:28 AM | Computer Name = JS-FA5AC93B58 | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.


< End of report >

[Extremeboy]

Hello.

Rootkits are very nasty. Read below and let me know what you decide to do.

Rootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Where to draw the line? When to recommend a format and reinstall?

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy

[jolene singh]

Thank you for replying. i think i'll go with disinfection instead of reformat. ill state my reasons and would appreciate any reasons from your side to go for re-format instead.
1. i have never accessed banking sites from my comp. my password database is of my email account, and my free sms account.(this means my cell phone number is also available is memory, i think).

2. i have already formatted my comp twice in the last 6 months due to such trojans again, and think too much of formatting may harm the computer somehow. plus i dont wanna lose my data.

i would like to mention here that i am the net server of my hostel floor. so my comp stays on 24x7 logged into the net with a few hours of break in between. i am connected to the lan all the time. do my lan members also face the risk of being infected by this??

again thank you very much for replying.

[jolene singh]

no reply.!

[Extremeboy]

Hello.

I apologize for the delay once again

Let's continue. We will start off with Combofix.

Download and Run ComboFix (Rename Before Saving)


Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





Refer to the page below for further instructions on running ComboFix. This includes installing the Recovery Console. Note that you do not need your Windows XP disk to install it. Refer to this page if you are unsure how.

Double click on Combo-Fix.exe & follow the prompts.

When finished, it will produce a open a report for you. Post back with it. It is at C:\ComboFix.txt.

Do not mouseclick the ComboFix window while it's running. That may cause it to stall.

With Regards,
Extremeboy

[jolene singh]

thanks for responding

Combo-fix wouldn't run on my computer. it is running on my friend's laptop. but not my comp. a small bar appears which shows "loading" kind of orange blocks but then nothing happens.

my nod32 antivirus noted another virus when my comp was online for recovery console:
\\?\globalroot\systemroot\system32\gxvxcylhoqvlewxorumqpkovcmkyhwhcpxrkr.dll a variant of Win32/Kryptik.PF trojan


so i wont connect my comp to the net till the rootkit thing is gone. also a file called "bug" got created in my c drive. im copying its contents below:

Killing 'n.com'
"C:\32788R22FWJFW\n.com" cmdwait 2500 exec hide "~$folder.system$\cmd.execf" /c 32788R22FWJFW\prep.cmd (2840)
Killing 'n.com'

PUSHD "C:\32788R22FWJFW"
1 file(s) copied.
1 file(s) copied.

IF NOT EXIST C:\WINDOWS\system32\cmd.exe GOTO Not_NT

IF EXIST OsVer EXIT

VER 1>OsVer

GREP.cfexe -F "5.2." OsVer

IF 1 == 0 GOTO Not_NT

GREP.cfexe -F "5.1.2" OsVer
Microsoft Windows XP [Version 5.1.2600]

IF 0 == 0 GOTO NT

=============================================

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Jolene S\Application Data
CFLDR=32788R22FWJFW
Chksum=822B3A7745F84AEE081C8DFBD8AF430F
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=JS-FA5AC93B58
ComSpec=C:\WINDOWS\system32\cmd.execf
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Jolene S
KMD=CF9998.exe
LOGONSERVER=\\JS-FA5AC93B58
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\32788R22FWJFW;C:\Program Files\Internet Explorer;;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\MATLABR11\bin;c:\RIDE\Bin;C:\MATLABR11\bin;
PATHEXT=.CFEXE;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$
Qrntn=C:\Qoobox\Quarantine
RKEY_=hklm\software\microsoft\windows nt\currentversion\windows
SESSIONNAME=Console
sfxcmd="C:\Documents and Settings\Jolene S\Desktop\Combo-Fix.exe"
sfxname=C:\Documents and Settings\Jolene S\Desktop\Combo-Fix.exe
SYSTEM=C:\WINDOWS\system32
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JOLENE~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\JOLENE~1\LOCALS~1\Temp
USERDOMAIN=JS-FA5AC93B58
USERNAME=Jolene S
USERPROFILE=C:\Documents and Settings\Jolene S
windir=C:\WINDOWS

=============================================


IF NOT DEFINED sfxname GOTO END

IF EXIST C:\cfDebug.cmd DEL /A/F C:\cfDebug.cmd

CALL sfx.cmd

CALL AV.cmd

SET /a AVCount+=1

CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:08 av.vbs

GREP -E "^(AV|SP): .*enabled\* \(" Resident.txt 1>AVChk && (
SED -r "/\{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46\}/Id; s/^AV:/antivirus: /; s/^SP:/antispyware: /; s/ \*(On-access scanning |)enabled\*.*//" AVChk | SED ":a; $!N;s/\n/~n/;ta" 1>AVChkB
NIRCMD LOOP 2 80 BEEP 3000 200
IF 1 LEQ 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "ComboFix has detected the following real time scanner(s) to be active:~n~n%G~n~nAntivirus and intrusion prevention programs are known to interfere~nwith ComboFix's running. This may lead to unpredictable results or~npossible machine damage.~n~nPlease disable these scanners before clicking 'OK'." "Warning !!" "" && GOTO Av-check
IF 1 GTR 1 FOR /F "TOKENS=*" %G IN (AVChkB) DO @NIRCMD INFOBOX "%G~n~nThe above real time scanner(s) are still active but ComboFix shall~ncontinue to run. Kindly note that this is at your own risk" "Warning !!" ""
)

DEL /A/F/Q AVChk?

SET AVCount=

PV -kf thguard.exe ntvdm.exe teatimer.exe ad-watch.exe Ad-Watch2007.exe SZServer.exe StopZilla*.exe userinit.exe msascui.exe procmon.exe mcagent.exe mcmscsvc.exe mcnasvc.exe mcproxy.exe mcshield.exe MPFSrv.exe MskSrver.exe mcsysmon.exe mcvsshld.exe mcvsmap.exe 1>N_\16197 2>&1

IF EXIST OsVer00 CALL :Vista

IF /I "C:\32788R22FWJFW" NEQ "C:\32788R22FWJFW" GOTO Abort

IF EXIST "C:\DOCUME~1\JOLENE~1\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log" DEL /A/F "C:\DOCUME~1\JOLENE~1\LOCALS~1\Temp\32788R22FWJFW32788R22FWJFW.log"

(
SET "FileName=Combo-Fix"
SET "FilePath=C:\Documents and Settings\Jolene S\Desktop\"
)

SET FileName 1>FileName

GREP -isqx "FileName=[-[:alnum:]@.]*" FileName || GOTO AbortB

DIR /AD/B C:\* | FINDSTR -IVX ComboFix 1>DirName00

[Extremeboy]

Hello.

First you need to understand that we are probably in different time zone. The reply I replied to you yesterday was about 10:00 pm for me. I needed to go to bed and therefore could not reply to you.

Let's do this. Please DISABLE your ESET or ANY of your security programs before proceeding as they interfere with the run of Combofix.

Download and Run Combofix

Important: Before we start please disabe any anti-virus programs or any real-time protection that is enabled.

Please refer to this page if your unsure how.

Please delete Combofix you currently have and re-download it from one of those links and when saving it please re-name it to CFTool.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

• Download the appropriate Windows XP setup boot disk and drag it on CFTool.exe like the image below Yes, the picture says Combofix.exe but when you drag it on Combofix, Combofix should be renamed as CFTool.exe:
  
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
• After you succusfully install the recovery console, will see this window.
  
  
• At the next prompt, click NO to skip the ComboFix scan for now.
  
• Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  Combofix should be called CFTool.exe since you re-named it and should also be on your DESKTOP.
  
• Click on your Start Menu, then Run, In the run box type:
  

  "%userprofile%\desktop\CFTool.exe" /killall

  
  
• Combofix will now run
  
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Let me know how it goes and post the log once it's done. IF you have any problems let me know.

With Regards,
Extremeboy

[jolene singh]

hi extremeboy
im sorry for sounding imprudent.
i'll tell you the progress till now.
i went to bootdisk.com site which directed me to microsoft. there i reached the following page:

http://www.microsoft.com/downloads/details...B7-4FED408EA73F

but the download didnt start. where do i download the bootdisk from?? i have windows XP professional. i have downloaded combofix again and saved it as CFTool.exe

[jolene singh]

i managed to download xp boot setup. same site but another computer. but cftool.exe also doesnt work. same loading kind of bar appears and then nothing happens. combofix doesnt start... i was asked to close ccproxy though... but still no combofix running here.

[Extremeboy]

Hello.

Let's do the following.

Do not worry about the Recovery Console for now.

Make sure CFTool.exe is on your desktop and do the following.

How to Boot into Safe Mode

I suggest you read over the instructions on how to boot into Safe Mode and then print these instructions out or save them in Notepad because you won't have access to this page while in Safe Mode.

Start in Safe Mode Using the F8 method:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  
• Use your arrow keys to navigate and highlight Safe Mode.
  
• Hit Enter.
  
• You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP.
  
• Hit Enter.

Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

Additional instructions on booting into Safe Mode can be found here

Once you are in Safe Mode:

•Click on your Start Menu, then Run, In the run box type:

"%userprofile%\desktop\CFTool.exe" /killall

•Combofix will now run
•When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Let me know how it goes.

If Combofix still doesn't work let me know. If you can provide a screenshot as well or describe what part Combofix doesn't run let me know.

With Regards,
Extremeboy

[jolene singh]

hi extremeboy
im so sorry. IT STILL DOESN'T WORK.
i'll tell u wat i did
1. press F8 at startup.
2. many options came. there were three concerned with safe mode
(i) safe mode
(ii) safe mode with networking
(iii) safe mode with command prompt
---- i chose the first one
3. then the option to start recovery console came. i clicked no
4. then i got the option to choose between users (which is wierd cause i have only one user installed - myself as administrator. my profile name is "Jolene S"). the two options were "administrator" and "Jolene S".
CFTool was on the desktop only for "Jolene S", so i typed the run command here.

5. i got a response saying "cannot find "'%userprofile%\desktop\CFTool.exe"/killall'".
i tried writing only CFTool too instead of CFTool.exe (i dunno if that shud have made any difference). still "cannot find".

i am attaching paint files of the screens. the printscreen didn't respond while the loading kinds orange bar appears of combofix so i couldnt show you that stage, but it does come. and then nothing happens (this is f course when windows is started normally)

Attached File(s)

•  cft3.bmp (123.05K)
  Number of downloads: 45
•  cft4.bmp (39.92K)
  Number of downloads: 50

[jolene singh]

Please do tell me one more thing. If I reconnect my computer to the net, while we try to solve the rootkit, and continue being the net server, will there be any problem...for me or for my lan members?

[Extremeboy]

Hello.

jolene singh, on May 16 2009, 10:27 PM, said:

Please do tell me one more thing. If I reconnect my computer to the net, while we try to solve the rootkit, and continue being the net server, will there be any problem...for me or for my lan members?

It may be possible that there is another infection on board that may infect other computers connected to the same network. However, I would say avoid using the net as much as possible.

Can you just double-click and run it, probably won't work but worth another try? If not, then please continue with the following:

First question: Do you still have your OS disk available to you?

I need to see a detailed rootkit scan. Please run one of the rootkit scan. Preferablly GMER, but it may not work so if it doesn't run Rooter instead.

FOR GMER please DOWNLOAD THE RANDOMLY named one.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Please download GMER from one of the following locations, and save it to your desktop:
  
  • Main Mirror
    This version will download a randomly named file (Recommended)
    
  • Zip Mirror
    Alternate Zip Mirror 1
    Alternate Zip Mirror 2
  
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

• Close any and all open programs, as this process may crash your computer.
  
• Double click (It will be randomly named) or on your desktop.
  
  
• When you have done this, close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.

• Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  
• Allow the gmer.sys driver to load if asked.
  If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
  

• In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
  
  • Sections
    
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show all (Don't miss this one!)
  
  
• Click on and wait for the scan to finish.
  
• If you see a rootkit warning window, click OK.
  
• Push and save the logfile to your desktop.
  
• Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

IF GMER DOESN'T WORK THEN RUN THIS ROOTKIT SCAN INSTEAD

Download and run RootRepeal CR

Please download RootRepeal to your desktop

• Physically disconnect your machine from the internet as your system will be unprotected.
  
• Unzip it to it's own folder
  
• Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  
• Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  
• Click the Report tab at the bottom.
  
• Now click the Scan button in the Report Tab.
  
• A box will pop up, check the boxes beside ALL SIX
  
  
• Now click OK.
  
• Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  
• The scan will take a little while to run, so let it go unhindered.
  
• Once it is done, click the Save Report button.
  
• Save it as RepealScan and save it to your desktop
  
• Reconnect to the internet.
  
• Post the log here in your reply.

With Regards,
Extremeboy

[jolene singh]

thank you
status: both files downloaded. disconnecting from the net. will start the gmer scan now.

regards
jolene

[jolene singh]

a question.
in gmer scan, u said i should uncheck all drives and partitions other than system.
i am a bit confused here. i have attached a paint file of the screen. please tell me if the checks are okay and if i should proceed.

Attached thumbnail(s)

•