Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

HELP! url.urtbk.com Virus? Spyware? Trojan?


  • Please log in to reply

#1
KINNEY1978

KINNEY1978

    Member

  • Member
  • PipPip
  • 62 posts
Please Help!

I am operating XP SP2.

Yesterday afternoon, my pc began popping up internet explorer windows one after another filling up the screen faster than I could X them out. The links begin with "url.urtbk.com". I think I may have caught some type of virus. I've tried everything from McAfee to Malawarebytes Anti-malaware. They either start and then close after a few seconds, or they won't start at all. I've even tried in safe mode with no luck. Now my computer is slow. Practically can't do anything. I'm having trouble even getting it to process this post.

Please help ASAP!

Thanks in advance!!!!
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello KINNEY1978

Welcome to G2Go. :)
=====================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

  • 0

#3
KINNEY1978

KINNEY1978

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Hi,

Thanks in advance for helping me. I was able to run the OTL with no problem, however, the other file "Rootkit/Malware" would not run all the way. It scanned for a while and then closed by itself, not allowing me to save the log. I tried twice and it happened twice. Please advise.

Below are the OTL results:

OTL logfile created on: 9/3/2009 6:28:39 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.97% Memory free
3.84 Gb Paging File | 3.51 Gb Available in Paging File | 91.51% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.83 Gb Total Space | 168.51 Gb Free Space | 73.64% Space Free | Partition Type: NTFS
Drive D: | 4.04 Gb Total Space | 1.36 Gb Free Space | 33.74% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 3.74 Gb Total Space | 0.94 Gb Free Space | 25.12% Space Free | Partition Type: FAT32

Computer Name: JK-GT5064
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
PRC - C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
PRC - C:\Program Files\Common Files\AOL\1236233593\ee\AOLSoftware.exe (America Online, Inc.)
PRC - C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
PRC - C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
PRC - C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
PRC - c:\program files\common files\aol\1236233593\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - c:\program files\common files\aol\1236233593\ee\aolsoftware.exe (America Online, Inc.)
PRC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (America Online)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
PRC - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe (America Online Inc)
PRC - C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe (Intel Corporation)
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
PRC - C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
PRC - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe (Intel Corporation)
PRC - C:\WINDOWS\eHome\ehmsas.exe (Microsoft Corporation)
PRC - C:\WINDOWS\System32\igfxsrvc.exe (Intel Corporation)
PRC - C:\Documents and Settings\Owner\Desktop\OTL.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (AOL ACS [Auto | Running]) -- C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (America Online)
SRV - (AOL TopSpeedMonitor [Auto | Running]) -- C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (America Online, Inc)
SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (ehRecvr [Auto | Running]) -- C:\WINDOWS\eHome\ehRecvr.exe (Microsoft Corporation)
SRV - (ehSched [Auto | Running]) -- C:\WINDOWS\eHome\ehSched.exe (Microsoft Corporation)
SRV - (ELService [Auto | Running]) -- C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe (Intel Corporation)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (IAANTMon [Auto | Running]) -- C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe (Intel Corporation)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (McrdSvc [Auto | Running]) -- C:\WINDOWS\ehome\mcrdsvc.exe (Microsoft Corporation)
SRV - (MHN [On_Demand | Stopped]) -- C:\WINDOWS\System32\mhn.dll (Microsoft Corporation)
SRV - (Microsoft Office Groove Audit Service [On_Demand | Stopped]) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (Microsoft Corporation)
SRV - (NBService [On_Demand | Stopped]) -- C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (Nero AG)
SRV - (NMIndexingService [On_Demand | Stopped]) -- C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (Nero AG)
SRV - (NVSvc [Auto | Stopped]) -- C:\WINDOWS\System32\nvsvc32.exe (NVIDIA Corporation)
SRV - (odserv [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose [On_Demand | Stopped]) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (PrismXL [Auto | Running]) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\System32\wdfmgr.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (Afc [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\Afc.sys (Arcsoft, Inc.)
DRV - (AliIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\aliide.sys (Acer Laboratories Inc.)
DRV - (amdagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)
DRV - (asc [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc.sys (Advanced System Products, Inc.)
DRV - (asc3550 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys (Advanced System Products, Inc.)
DRV - (ASCTRM [Auto | Running]) -- C:\WINDOWS\System32\drivers\asctrm.sys (Windows ® 2000 DDK provider)
DRV - (Cdr4_xp [System | Running]) -- C:\WINDOWS\System32\drivers\cdr4_xp.sys (Roxio)
DRV - (Cdralw2k [System | Running]) -- C:\WINDOWS\System32\drivers\cdralw2k.sys (Roxio)
DRV - (CmdIde [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys (CMD Technology, Inc.)
DRV - (dac2w2k [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys (Mylex Corporation)
DRV - (E100B [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (ELacpi [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ELacpi.sys (Intel Corporation)
DRV - (ELhid [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ELhid.sys (Intel Corporation)
DRV - (ELkbd [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ELkbd.sys (Intel Corporation)
DRV - (ELmon [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ELmon.sys (Intel Corporation)
DRV - (ELmou [System | Running]) -- C:\WINDOWS\System32\DRIVERS\ELmou.sys (Intel Corporation)
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (HDAudBus [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HDAudBus.sys (Windows ® Server 2003 DDK provider)
DRV - (HPZid412 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys (HP)
DRV - (HPZipr12 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys (HP)
DRV - (HPZius12 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys (HP)
DRV - (HSFHWBS2 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (HSF_DPV [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (ialm [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ialmnt5.sys (Intel Corporation)
DRV - (iaStor [Boot | Running]) -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS (Intel Corporation)
DRV - (mdmxsdk [Auto | Running]) -- C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys (Conexant)
DRV - (mraid35x [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys (American Megatrends Inc.)
DRV - (mxnic [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\mxnic.sys (Macronix International Co., Ltd. )
DRV - (nv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (PAC7302 [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\PAC7302.SYS (PixArt Imaging Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (ql1080 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys (QLogic Corporation)
DRV - (ql12160 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys (QLogic Corporation)
DRV - (ql1280 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys (QLogic Corporation)
DRV - (SASDIFSV [System | Running]) -- C:\DVD PROGRAMS\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Stopped]) -- C:\DVD PROGRAMS\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL [System | Running]) -- C:\DVD PROGRAMS\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys ()
DRV - (sfng32 [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\sfng32.sys (Sonic Focus, Inc)
DRV - (sisagp [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)
DRV - (Sparrow [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys (Adaptec, Inc.)
DRV - (STHDA [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (symc810 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (symc8xx [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (sym_hi [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (sym_u3 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (ultra [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\ultra.sys (Promise Technology, Inc.)
DRV - (USBAAPL [On_Demand | Stopped]) -- C:\WINDOWS\System32\Drivers\usbaapl.sys (Apple, Inc.)
DRV - (usbaudio [On_Demand | Running]) -- C:\WINDOWS\System32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (wanatw [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\wanatw4.sys (America Online, Inc.)
DRV - (winachsf [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys (Conexant Systems, Inc.)

========== Standard Registry (All) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.c...h...TP&M=GT5064
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - URLSearchHook: {CFBFAE00-17A6-11D0-99CB-00C04FD64497} - C:\WINDOWS\System32\shdocvw.dll (Microsoft Corporation)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/05/06 16:51:59 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3958fe57-abb1-4b3c-874d-a6b354d1e86f} - C:\WINDOWS\System32\fasapako.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DVD PROGRAMS\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\ShellBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Address) - {01E04581-4EEE-11D0-BFE9-00AA005B4383} - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (&Links) - {0E5CBF21-D15F-11D0-8301-00AA005B4383} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O4 - HKLM..\Run: [11056564] C:\Documents and Settings\All Users\Application Data\11056564\11056564.exe ()
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HostManager] C:\Program Files\Common Files\AOL\1236233593\ee\AOLSoftware.exe (America Online, Inc.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [merigijid] C:\WINDOWS\System32\deporare.DLL ()
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe (Nero AG)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe (PixArt Imaging Incorporation)
O4 - HKLM..\Run: [pumayidaja] C:\WINDOWS\System32\luyehije.DLL ()
O4 - HKLM..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe (Alcor Micro, Corp.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKCU..\Run: [AOL Fast Start] C:\Program Files\America Online 9.0\AOL.EXE (America Online, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (Microsoft Corporation)
O4 - HKCU..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\DVD PROGRAMS\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\DVD PROGRAMS\SUPERAntiSpyware.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk = C:\WINDOWS\System32\cmd.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk = C:\DVD PROGRAMS\WZQKPICK.EXE (WinZip Computing, S.L.)
O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DVD PROGRAMS\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\WINDOWS\System32\winrnr.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000003 [] - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\System32\mswsock.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKCU\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\about {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\cdl {3dd53d40-7b8b-11D0-b013-00aa0059ce02} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\dvd {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\file {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\ftp {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\gopher {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\javascript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\local {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\mailto {3050f3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\mhtml {05300401-BCBC-11d0-85E3-00C04FD85AB4} - C:\WINDOWS\System32\inetcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\mk {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-its {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\System32\itss.dll (Microsoft Corporation)
O18 - Protocol\Handler\res {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\sysimage {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\tv {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
O18 - Protocol\Handler\vbscript {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll (Microsoft Corporation)
O18 - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\System32\wiascr.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/octet-stream - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-complus - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - application/x-msdownload - C:\WINDOWS\System32\mscoree.dll (Microsoft Corporation)
O18 - Protocol\Filter: - Class Install Handler - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - deflate - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - gzip - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - lzdhtml - C:\WINDOWS\System32\urlmon.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/webviewhtml - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\WINDOWS\system32\hekonala.dll) - C:\WINDOWS\System32\hekonala.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\deporare.dll) - C:\WINDOWS\System32\deporare.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\werepolo.dll) - C:\WINDOWS\System32\werepolo.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UIHost - (logonui.exe) - C:\WINDOWS\System32\logonui.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (rundll32 shell32) - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - C:\WINDOWS\System32\sysdm.cpl (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\DVD PROGRAMS\SASWINLO.dll - C:\DVD PROGRAMS\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - C:\WINDOWS\System32\crypt32.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - C:\WINDOWS\System32\cryptnet.dll (Microsoft Corporation)
O20 - Winlogon\Notify\cscdll: DllName - cscdll.dll - C:\WINDOWS\System32\cscdll.dll (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - C:\WINDOWS\System32\sclgntfy.dll (Microsoft Corporation)
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - C:\WINDOWS\System32\WlNotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\termsrv: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - C:\WINDOWS\System32\wlnotify.dll (Microsoft Corporation)
O21 - SSODL: CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} - C:\WINDOWS\System32\SHELL32.dll (Microsoft Corporation)
O21 - SSODL: remupasez - {6f05cc67-ea03-401b-b007-d514e19aa4f0} - C:\WINDOWS\System32\deporare.dll ()
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINDOWS\System32\webcheck.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O22 - SharedTaskScheduler: {6f05cc67-ea03-401b-b007-d514e19aa4f0} - mujuzedij - C:\WINDOWS\System32\deporare.dll ()
O22 - SharedTaskScheduler: {8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon - C:\WINDOWS\System32\browseui.dll (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O27 - HKLM IFEO\Your Image File Name Here without a path: Debugger - C:\WINDOWS\System32\ntsd.exe (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\DVD PROGRAMS\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - C:\WINDOWS\System32\shell32.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msapsspc.dll) - C:\WINDOWS\System32\msapsspc.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (schannel.dll) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (digest.dll) - C:\WINDOWS\System32\digest.dll (Microsoft Corporation)
O29 - HKLM SecurityProviders - (msnsspc.dll) - C:\WINDOWS\System32\msnsspc.dll (Microsoft Corporation)
O30 - LSA: Authentication Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (kerberos) - C:\WINDOWS\System32\kerberos.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (msv1_0) - C:\WINDOWS\System32\msv1_0.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (schannel) - C:\WINDOWS\System32\schannel.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (wdigest) - C:\WINDOWS\System32\wdigest.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/01/09 21:13:09 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/05/06 08:26:23 | 00,000,309 | R--- | M] () - K:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/03 06:27:00 | 00,514,048 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/09/03 04:40:51 | 00,002,098 | -HS- | C] () -- C:\WINDOWS\System32\bihofiye.dll
[2009/09/03 04:40:50 | 00,002,098 | -HS- | C] () -- C:\WINDOWS\System32\wirijepi.dll
[2009/09/03 04:40:32 | 00,088,064 | ---- | C] () -- C:\WINDOWS\System32\werepolo.dll
[2009/09/03 04:40:30 | 00,037,888 | ---- | C] () -- C:\WINDOWS\System32\dejufedu.dll
[2009/09/02 17:19:38 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/09/02 16:40:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\11056564
[2009/09/02 05:52:56 | 00,001,581 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2009/09/01 21:07:14 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/09/01 21:05:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Yahoo!
[2009/09/01 19:36:28 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/09/01 19:36:25 | 00,000,592 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/09/01 19:36:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
[2009/09/01 19:32:37 | 21,364,61312 | -HS- | C] () -- C:\hiberfil.sys
[2009/09/01 19:25:03 | 00,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2009/09/01 17:20:53 | 00,000,000 | ---D | C] -- C:\Avenger
[2009/09/01 17:18:27 | 00,000,000 | ---D | C] -- C:\Program Files\MBblah
[2009/09/01 17:16:05 | 00,000,594 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/01 17:16:00 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/09/01 17:14:45 | 03,942,080 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\MBblah-setup.bat.exe
[2009/08/31 06:43:07 | 00,000,000 | ---- | C] () -- C:\-1672035832
[2009/08/31 06:43:01 | 00,075,264 | ---- | C] () -- C:\pvewnn.exe
[2009/08/31 06:42:59 | 00,009,728 | ---- | C] () -- C:\fyblb.exe
[2009/08/31 06:42:49 | 00,048,640 | ---- | C] () -- C:\blyuwrjl.exe
[2009/08/31 06:42:29 | 00,073,216 | ---- | C] () -- C:\jLg.exe
[2009/06/02 16:39:56 | 00,088,576 | -HS- | C] () -- C:\WINDOWS\System32\deporare.dll
[2009/06/02 16:39:56 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\ritujute.dll
[2009/06/01 21:49:22 | 00,037,888 | -HS- | C] () -- C:\WINDOWS\System32\weluyotu.dll
[2009/06/01 06:48:38 | 00,083,968 | -HS- | C] () -- C:\WINDOWS\System32\mebarepo.dll
[2009/06/01 06:48:38 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\vivuyayo.dll
[2009/05/31 18:48:53 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\luyehije.dll
[2009/05/31 18:48:53 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\hekonala.dll
[2009/05/31 18:48:53 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\fasapako.dll
[2009/05/31 18:48:21 | 00,084,480 | -HS- | C] () -- C:\WINDOWS\System32\nineyuyo.dll
[2009/05/31 18:48:21 | 00,049,152 | -HS- | C] () -- C:\WINDOWS\System32\pejejuwu.dll
[2009/05/31 18:48:21 | 00,037,376 | -HS- | C] () -- C:\WINDOWS\System32\viveveno.dll
[2009/05/31 06:48:11 | 00,084,992 | -HS- | C] () -- C:\WINDOWS\System32\fahapera.dll
[2009/05/31 06:48:11 | 00,038,400 | -HS- | C] () -- C:\WINDOWS\System32\binosino.dll
[2009/04/28 16:23:19 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/12 12:47:45 | 00,000,566 | ---- | C] () -- C:\WINDOWS\System32\SP7302.INI
[2009/03/05 02:06:35 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/01/15 10:19:00 | 01,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/01/15 10:19:00 | 01,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/01/15 10:19:00 | 01,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/01/15 10:19:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/10/07 10:13:30 | 00,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 10:13:22 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 00,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2006/12/11 20:35:52 | 00,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2006/12/11 20:33:52 | 00,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2006/12/11 20:33:40 | 00,062,464 | ---- | C] () -- C:\WINDOWS\System32\eventlog.dll
[2005/08/06 01:01:54 | 00,239,104 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/01/12 13:38:00 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/01/09 19:49:16 | 00,001,270 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/01/09 19:49:16 | 00,000,517 | ---- | C] () -- C:\WINDOWS\System32\emver.ini
[2005/01/09 19:48:33 | 00,000,751 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/01/09 19:48:30 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2004/10/26 18:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[1998/08/16 06:00:00 | 00,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== Files - Modified Within 30 Days ==========

[1 C:\WINDOWS\System32\*.tmp files]
[2009/09/03 06:27:01 | 00,514,048 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Owner\Desktop\OTL.exe
[2009/09/03 06:23:26 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\dazazoja
[2009/09/03 05:25:21 | 00,088,064 | ---- | M] () -- C:\WINDOWS\System32\werepolo.dll
[2009/09/03 05:25:21 | 00,037,888 | ---- | M] () -- C:\WINDOWS\System32\dejufedu.dll
[2009/09/03 04:40:51 | 00,002,098 | -HS- | M] () -- C:\WINDOWS\System32\bihofiye.dll
[2009/09/03 04:40:50 | 00,002,098 | -HS- | M] () -- C:\WINDOWS\System32\wirijepi.dll
[2009/09/02 22:50:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/09/02 17:19:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/02 17:19:38 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/02 17:19:37 | 21,364,61312 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/02 16:40:27 | 00,831,524 | -HS- | M] () -- C:\WINDOWS\System32\venijija.exe
[2009/09/02 16:39:57 | 00,088,576 | -HS- | M] () -- C:\WINDOWS\System32\deporare.dll
[2009/09/02 16:39:57 | 00,037,376 | -HS- | M] () -- C:\WINDOWS\System32\ritujute.dll
[2009/09/02 06:47:00 | 01,578,050 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db
[2009/09/02 05:52:57 | 00,001,581 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
[2009/09/01 21:49:23 | 00,037,888 | -HS- | M] () -- C:\WINDOWS\System32\weluyotu.dll
[2009/09/01 19:36:25 | 00,000,592 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/09/01 19:22:05 | 00,007,912 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/09/01 17:47:31 | 00,000,751 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/01 17:18:31 | 00,000,594 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/09/01 17:14:58 | 03,942,080 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\MBblah-setup.bat.exe
[2009/09/01 16:42:52 | 00,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/09/01 06:48:39 | 00,083,968 | -HS- | M] () -- C:\WINDOWS\System32\mebarepo.dll
[2009/09/01 06:48:39 | 00,037,376 | -HS- | M] () -- C:\WINDOWS\System32\vivuyayo.dll
[2009/08/31 18:48:52 | 00,049,152 | -HS- | M] () -- C:\WINDOWS\System32\pejejuwu.dll
[2009/08/31 18:48:22 | 00,084,480 | -HS- | M] () -- C:\WINDOWS\System32\nineyuyo.dll
[2009/08/31 18:48:22 | 00,037,376 | -HS- | M] () -- C:\WINDOWS\System32\viveveno.dll
[2009/08/31 06:48:11 | 00,084,992 | -HS- | M] () -- C:\WINDOWS\System32\fahapera.dll
[2009/08/31 06:48:11 | 00,038,400 | -HS- | M] () -- C:\WINDOWS\System32\binosino.dll
[2009/08/31 06:43:20 | 00,075,264 | ---- | M] () -- C:\pvewnn.exe
[2009/08/31 06:43:07 | 00,000,000 | ---- | M] () -- C:\-1672035832
[2009/08/31 06:43:01 | 00,009,728 | ---- | M] () -- C:\fyblb.exe
[2009/08/31 06:42:56 | 00,048,640 | ---- | M] () -- C:\blyuwrjl.exe
[2009/08/31 06:42:29 | 00,073,216 | ---- | M] () -- C:\jLg.exe
[2009/08/31 06:35:42 | 00,042,496 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/30 14:26:52 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/08/29 15:32:28 | 00,030,208 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Monthly Expense Spreadsheet.xls

========== LOP Check ==========

[2009/09/02 16:40:38 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/05/19 06:29:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/09/02 16:40:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\11056564
[2009/04/26 15:42:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2009/08/31 18:38:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2009/03/05 10:00:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2009/03/05 01:59:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Prism Deploy
[2009/03/05 02:13:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pure Networks
[2009/06/13 18:10:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/03/05 02:13:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/05/18 06:34:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wide Angle Software
[2009/03/09 08:09:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/09/01 21:05:45 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Owner\Application Data
[2009/03/08 22:28:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.BitTornado
[2009/06/09 19:14:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Ahead
[2009/04/12 12:51:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\ArcSoft
[2009/06/13 19:02:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LimeWire
[2009/04/29 06:31:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Move Networks
[2009/03/05 02:16:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\SampleView
[2009/06/05 06:40:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\U3
[2009/06/13 18:08:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\URSoft
[2009/03/05 02:14:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
[2009/09/02 22:50:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
[2004/08/10 15:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/08 00:45:02 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 1.job
[2009/03/16 00:45:02 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 2.job
[2009/03/21 00:45:02 | 00,000,258 | ---- | M] () -- C:\WINDOWS\Tasks\ISP signup reminder 3.job
[2009/09/02 17:19:41 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:B3D74A13
< End of report >

OTL Extras logfile created on: 9/3/2009 6:28:39 AM - Run 1
OTL by OldTimer - Version 3.0.10.7 Folder = C:\Documents and Settings\Owner\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 74.97% Memory free
3.84 Gb Paging File | 3.51 Gb Available in Paging File | 91.51% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 228.83 Gb Total Space | 168.51 Gb Free Space | 73.64% Space Free | Partition Type: NTFS
Drive D: | 4.04 Gb Total Space | 1.36 Gb Free Space | 33.74% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive K: | 6.67 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
Drive L: | 3.74 Gb Total Space | 0.94 Gb Free Space | 25.12% Space Free | Partition Type: FAT32

Computer Name: JK-GT5064
Current User Name: Owner
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\Common Files\AOL\Loader\aolload.exe" = C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Application Loader -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL -- (America Online)
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" = C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL -- (America Online)
"C:\Program Files\America Online 9.0\waol.exe" = C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe:*:Enabled:AOLTsMon -- (America Online, Inc)
"C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe" = C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe:*:Enabled:AOLTopSpeed -- (America Online Inc)
"C:\Program Files\Common Files\AOL\1236233593\EE\AOLServiceHost.exe" = C:\Program Files\Common Files\AOL\1236233593\EE\AOLServiceHost.exe:*:Enabled:AOL -- (America Online, Inc.)
"C:\Program Files\Common Files\AOL\System Information\sinf.exe" = C:\Program Files\Common Files\AOL\System Information\sinf.exe:*:Enabled:AOL -- (America Online Inc.)
"C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe" = C:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe:*:Enabled:AOL -- (Gteko Ltd.)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe" = C:\Program Files\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\system32\winlogon.exe" = C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon -- (Microsoft Corporation)
"C:\DVD PROGRAMS\BitTornado\btdownloadgui.exe" = C:\DVD PROGRAMS\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui -- ()
"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe:*:Enabled:AppleMobileDeviceService -- (Apple Inc.)
"C:\WINDOWS\system32\lsass.exe" = C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass -- (Microsoft Corporation)
"C:\WINDOWS\system32\spoolsv.exe" = C:\WINDOWS\system32\spoolsv.exe:*:Enabled:spoolsv -- (Microsoft Corporation)
"C:\Program Files\McAfee\MSC\mcmscsvc.exe" = C:\Program Files\McAfee\MSC\mcmscsvc.exe:*:Enabled:mcmscsvc -- File not found
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:explorer -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{15377C3E-9655-400F-B441-E69F0A6BEAFE}" = Recovery Software Suite Gateway
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Solution
"{244E21B9-164C-4EC1-AED8-9BD64161E66D}" = ArcSoft VideoImpression 2
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{27ECB379-B140-43C3-BAD5-36C034B5A996}" = Intel® Quick Resume Technology Drivers
"{3248F0A8-6813-11D6-A77B-00B0D0150020}" = J2SE Runtime Environment 5.0 Update 2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3D1B20A6-E31D-4BB5-BC5C-DDD3B0D91728}" = Intel Audio Studio 2.0
"{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{5D95AD35-368F-47D5-B63A-A082DDF00111}" = Microsoft Digital Image Starter Edition 2006 Editor
"{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}" = iTunes
"{691F4068-81BF-49E3-B32E-FE3E16400111}" = Microsoft Digital Image Starter Edition 2006 Library
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}" = Microsoft .NET Framework 2.0
"{76EFFC7C-17A6-479D-9E47-8E658C1695AE}" = Windows Backup Utility
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8AAB4176-A747-493A-A42C-B63CFADFD8E3}" = NVIDIA PhysX
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}" = Napster Burn Engine
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9F7FC79B-3059-4264-9450-39EB368E3225}" = Microsoft Digital Image Library 9 - Blocker
"{A20A58C4-6784-4B4B-86CC-94E2E3671033}" = Nero 7 Premium
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A48E4951-D8E9-4FDF-82EF-46FB1C953F3E}" = Intel Audio Studio 2.0
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{AFA20D47-69C3-4030-8DF8-D37466E70F13}" = Apple Mobile Device Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{ECA1A3B6-898F-4DCE-9F04-714CF3BA126B}" = Adobe Flash Player 10 Plugin
"{F0B2D11F-E4D9-4C17-A195-B8BADEAE9C40}" = VGA USB Camera
"{FCFEC0B9-6999-4BD2-85D1-4ED21070704E}" = Intel® Viiv™
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"AOL Connectivity Services" = AOL Connectivity Services
"AOL Uninstaller" = AOL Uninstaller
"AOL YGP Screensaver" = AOL You've Got Pictures Screensaver
"AolCoach2_en" = AOL Coach Version 2.0(Build:20041026.5 en)
"BitTornado" = BitTornado 0.3.17
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200014F1" = Soft Data Fax Modem with SmartCP
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HijackThis" = HijackThis 2.0.2
"InstallShield_{4AC55A61-BA20-4DF5-ABFF-8F4819E0C875}" = Digital Media Reader
"Intel® Quick Resume Technology" = Intel® Quick Resume Technology Drivers
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 2.0" = Microsoft .NET Framework 2.0
"NVIDIA Drivers" = NVIDIA Drivers
"PictureItSuiteTrial_v11" = Microsoft Digital Image Starter Edition 2006
"PROSet" = Intel® PRO Network Connections Drivers
"RealPlayer 6.0" = RealPlayer Basic
"Steam App 500" = Left 4 Dead
"SystemRequirementsLab" = System Requirements Lab
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format Runtime

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Move Networks Player - IE" = Move Networks Media Player for Internet Explorer

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/14/2009 9:32:18 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/14/2009 9:32:18 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/14/2009 9:32:18 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/14/2009 9:32:18 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/14/2009 9:33:13 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The server name or address could not be resolved

Error - 6/14/2009 9:33:13 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/14/2009 9:33:13 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/14/2009 9:33:13 PM | Computer Name = JK-GT5064 | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This network connection does not exist.

Error - 6/25/2009 4:24:37 PM | Computer Name = JK-GT5064 | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 6.0.2900.2180, faulting
module unknown, version 0.0.0.0, fault address 0x674ea1e0.

Error - 7/17/2009 5:07:14 PM | Computer Name = JK-GT5064 | Source = Application Error | ID = 1000
Description = Faulting application showtime.exe, version 3.9.0.1, faulting module
showtime.exe, version 3.9.0.1, fault address 0x000a236c.

[ OSession Events ]
Error - 9/1/2009 6:04:55 PM | Computer Name = JK-GT5064 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 801
seconds with 240 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 9/2/2009 5:18:27 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7034
Description = The AOL TopSpeed Monitor service terminated unexpectedly. It has
done this 5 time(s).

Error - 9/2/2009 5:18:28 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Receiver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 9/2/2009 5:18:28 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Extender Service service terminated unexpectedly.
It has done this 2 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 9/2/2009 5:18:33 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Receiver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 9/2/2009 5:18:33 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7009
Description = Timeout (30000 milliseconds) waiting for the Media Center Extender
Service service to connect.

Error - 9/2/2009 5:18:33 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7000
Description = The Media Center Extender Service service failed to start due to the
following error: %%1053

Error - 9/2/2009 5:18:38 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Receiver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 9/2/2009 5:18:43 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Receiver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 9/2/2009 5:18:48 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Receiver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.

Error - 9/2/2009 5:18:53 PM | Computer Name = JK-GT5064 | Source = Service Control Manager | ID = 7031
Description = The Media Center Receiver Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
5000 milliseconds: Restart the service.


< End of report >
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
First temporarily disable any antivirus program or any real time shields that are present:
If you do not know how then you can refer to this link:
http://www.bleepingc...opic114351.html
================
Then Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah then save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------

Double click on kahdah.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt

  • 0

#5
KINNEY1978

KINNEY1978

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
ComboFix 09-09-03.02 - Owner 09/03/2009 16:50.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1428 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\kahdah.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1672035832
C:\67e3b24q.exe
c:\documents and settings\All Users\Application Data\11056564
c:\documents and settings\All Users\Application Data\11056564\11056564
c:\documents and settings\All Users\Application Data\11056564\11056564.exe
c:\documents and settings\All Users\Application Data\11056564\pc11056564ins
c:\documents and settings\All Users\Application Data\91280926.ini
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\fyblb.exe
c:\windows\system32\bihofiye.dll
c:\windows\system32\binosino.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\dejufedu.dll
c:\windows\system32\fahapera.dll
c:\windows\system32\hekonala.dll
c:\windows\system32\nineyuyo.dll
c:\windows\system32\ritujute.dll
c:\windows\system32\venijija.exe
c:\windows\system32\viveveno.dll
c:\windows\system32\vivuyayo.dll
c:\windows\system32\weluyotu.dll
c:\windows\system32\wirijepi.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.96
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 08:40 . 2009-09-03 09:25 88064 ----a-w- c:\windows\system32\werepolo.dll
2009-09-02 01:05 . 2009-09-02 01:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-09-01 23:36 . 2009-09-01 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 23:36 . 2009-09-01 23:36 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-09-01 23:29 . 2009-09-01 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\toaster
2009-09-01 23:25 . 2009-09-01 23:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-09-01 23:25 . 2009-09-02 01:07 -------- d-----w- c:\program files\Yahoo!
2009-09-01 21:27 . 2009-09-01 21:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-01 21:18 . 2009-09-01 21:18 -------- d-----w- c:\program files\MBblah
2009-09-01 21:16 . 2009-09-01 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 10:43 . 2009-08-31 10:43 75264 ----a-w- C:\pvewnn.exe
2009-08-31 10:42 . 2009-08-31 10:42 48640 ----a-w- C:\blyuwrjl.exe
2009-08-31 10:42 . 2009-08-31 10:42 73216 ----a-w- C:\jLg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 20:55 . 2009-04-12 16:26 -------- d-----w- c:\program files\Steam
2009-09-03 20:50 . 2009-03-05 13:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-02 20:39 . 2009-06-02 20:39 88576 --sha-w- c:\windows\system32\deporare.dll
2009-09-02 20:39 . 2009-03-05 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-02 20:39 . 2009-03-05 06:18 -------- d-----w- c:\program files\McAfee
2009-09-01 23:22 . 2009-04-05 19:04 7912 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-01 10:48 . 2009-06-01 10:48 83968 --sha-w- c:\windows\system32\mebarepo.dll
2009-08-31 22:48 . 2009-05-31 22:48 49152 --sha-w- c:\windows\system32\pejejuwu.dll
2009-08-31 22:38 . 2009-04-26 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-31 22:48 . 2009-05-31 22:48 49152 --sha-w- c:\windows\system32\fasapako.dll
2009-05-31 22:48 . 2009-05-31 22:48 49152 --sha-w- c:\windows\system32\luyehije.dll
.

------- Sigcheck -------

[-] 2005-03-14 01:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2gdr\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2qfe\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[-] 2005-03-14 00:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( [email protected]_10.47.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 20:55 . 2009-09-03 20:55 16384 c:\windows\temp\Perflib_Perfdata_770.dat
+ 2006-12-12 00:33 . 2004-08-10 19:00 55808 c:\windows\system32\logevent.dll
+ 2009-05-19 10:27 . 2009-03-26 19:23 36864 c:\windows\system32\drivers\usbaapl.sys
- 2005-01-10 01:17 . 2009-06-16 08:52 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-10 01:17 . 2009-09-02 09:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-01-10 01:17 . 2009-09-02 09:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-01-10 01:17 . 2009-06-16 08:52 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-05 11:29 . 2009-03-05 11:29 48128 c:\windows\Installer\1760d7.msi
+ 2009-09-01 23:36 . 2009-09-01 23:36 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2009-09-01 23:36 . 2009-09-01 23:36 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2009-03-05 04:54 . 2004-08-10 19:00 66048 c:\windows\I386\WINNT32.MSI
+ 2009-04-26 19:44 . 2009-04-26 19:44 100352 c:\windows\Installer\a34c965.msi
+ 2009-03-05 06:19 . 2009-03-05 06:19 181248 c:\windows\Installer\2c621.msi
+ 2009-03-05 06:16 . 2009-03-05 06:16 506880 c:\windows\Installer\2c614.msi
+ 2009-03-05 06:12 . 2009-03-05 06:12 980992 c:\windows\Installer\2c5da.msi
+ 2009-03-05 06:11 . 2009-03-05 06:11 227840 c:\windows\Installer\2c5cd.msi
+ 2009-05-06 20:51 . 2009-05-06 20:51 598016 c:\windows\Installer\1ed98b15.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 501248 c:\windows\Installer\17611b.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 501248 c:\windows\Installer\176103.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 506880 c:\windows\Installer\1760fd.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 516608 c:\windows\Installer\1760f6.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 513024 c:\windows\Installer\1760ef.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 501248 c:\windows\Installer\1760e3.msi
+ 2009-03-05 11:28 . 2009-03-05 11:28 501248 c:\windows\Installer\1760bb.msi
+ 2005-01-10 01:21 . 2005-01-10 01:21 246784 c:\windows\Installer\16977.msi
+ 2005-01-10 01:21 . 2005-01-10 01:21 285696 c:\windows\Installer\16973.msi
+ 2005-01-10 01:20 . 2005-01-10 01:20 264704 c:\windows\Installer\1696f.msi
+ 2009-03-05 04:53 . 2004-07-22 22:02 156672 c:\windows\I386\DRV\MOD\modem assistant.msi
+ 2006-12-12 00:36 . 2004-08-10 19:00 1326080 c:\windows\system32\webfldrs.msi
+ 2009-05-19 10:27 . 2009-03-26 19:23 1900544 c:\windows\system32\usbaaplrc.dll
+ 2009-04-12 16:26 . 2009-04-12 16:26 1098752 c:\windows\Installer\e5fe7bc.msi
+ 2009-03-09 12:07 . 2009-03-09 12:07 1539584 c:\windows\Installer\da4cb29.msi
+ 2009-06-13 23:00 . 2009-06-13 23:00 1021952 c:\windows\Installer\ca1ba.msi
+ 2009-03-05 06:09 . 2009-03-05 06:09 2109440 c:\windows\Installer\b891.msi
+ 2009-04-26 19:41 . 2009-04-26 19:41 6362624 c:\windows\Installer\a34c95f.msi
+ 2005-01-10 01:24 . 2005-01-10 01:24 3443712 c:\windows\Installer\42e1c.msi
+ 2009-09-01 23:36 . 2009-09-01 23:36 1516544 c:\windows\Installer\3b460.msi
+ 2009-04-05 19:04 . 2009-04-05 19:04 1499648 c:\windows\Installer\399b6.msi
+ 2009-05-19 10:29 . 2009-05-19 10:29 3966976 c:\windows\Installer\380fd81.msi
+ 2009-05-19 10:28 . 2009-05-19 10:28 1549312 c:\windows\Installer\380fd70.msi
+ 2009-05-19 10:27 . 2009-05-19 10:27 3293696 c:\windows\Installer\380fd6a.msi
+ 2009-03-05 06:16 . 2009-03-05 06:16 2058752 c:\windows\Installer\2c61b.msi
+ 2009-03-05 06:15 . 2009-03-05 06:15 4685312 c:\windows\Installer\2c5f6.msi
+ 2009-03-05 06:14 . 2009-03-05 06:14 2124800 c:\windows\Installer\2c5ef.msi
+ 2009-03-05 06:13 . 2009-03-05 06:13 1019392 c:\windows\Installer\2c5e5.msi
+ 2009-03-05 06:12 . 2009-03-05 06:12 3270656 c:\windows\Installer\2c5d3.msi
+ 2009-03-05 06:12 . 2005-10-29 04:03 2727936 c:\windows\Installer\20a95.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 1640960 c:\windows\Installer\176121.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 1652736 c:\windows\Installer\176115.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 1652736 c:\windows\Installer\17610f.msi
+ 2009-03-05 11:30 . 2009-03-05 11:30 1652736 c:\windows\Installer\176109.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 2319872 c:\windows\Installer\1760e9.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 1647616 c:\windows\Installer\1760dd.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 1640960 c:\windows\Installer\1760cd.msi
+ 2009-03-05 11:29 . 2009-03-05 11:29 2022912 c:\windows\Installer\1760c7.msi
+ 2009-03-05 11:28 . 2009-03-05 11:28 1713152 c:\windows\Installer\1760c1.msi
+ 2009-03-05 11:28 . 2009-03-05 11:28 2397184 c:\windows\Installer\1760b5.msi
+ 2008-09-26 22:08 . 2008-09-26 22:08 3204368 c:\windows\Downloaded Program Files\EPUWALcontrol.dll
+ 2009-03-05 06:14 . 2009-03-05 06:14 2316800 c:\windows\Downloaded Installations\{92DFCBB1-F8E2-4C8E-94E8-E135A105B02A}\Digital Media Reader.msi
+ 2009-03-05 13:54 . 2009-03-05 06:11 11333632 c:\windows\system32\config\systemprofile\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150020}\J2SE Runtime Environment 5.0 Update 2.msi
+ 2005-09-23 15:48 . 2005-09-23 15:48 24863744 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\netfx.msi
+ 2005-01-10 01:25 . 2005-01-10 01:25 19210240 c:\windows\Installer\5f3ea.msp
+ 2009-03-05 11:34 . 2009-03-05 11:34 18181632 c:\windows\Installer\176142.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3958fe57-abb1-4b3c-874d-a6b354d1e86f}]
2009-05-31 22:48 49152 --sha-w- c:\windows\system32\fasapako.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-13 1217784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"SpybotSD TeaTimer"="c:\dvd programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-26 50776]
"SUPERAntiSpyware"="c:\dvd programs\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-22 114688]
"HostManager"="c:\program files\Common Files\AOL\1236233593\ee\AOLSoftware.exe" [2006-03-10 48280]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-06 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"pumayidaja"="c:\windows\system32\luyehije.dll" [2009-05-31 49152]
"merigijid"="c:\windows\system32\deporare.dll" [2009-09-02 88576]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\dvd programs\WZQKPICK.EXE [2008-9-10 525664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{6f05cc67-ea03-401b-b007-d514e19aa4f0}"= "c:\windows\system32\deporare.dll" [2009-09-02 88576]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\dvd programs\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"remupasez"= {6f05cc67-ea03-401b-b007-d514e19aa4f0} - c:\windows\system32\deporare.dll [2009-09-02 88576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\dvd programs\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1236233593\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\DVD PROGRAMS\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe"=
"c:\\WINDOWS\\explorer.exe"=

R1 SASDIFSV;SASDIFSV;c:\dvd programs\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\dvd programs\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [4/12/2009 12:47 PM 457856]
S3 SASENUM;SASENUM;c:\dvd programs\SASENUM.SYS [8/5/2009 4:06 PM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-03-08 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-12-12 19:00]

2009-03-16 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-12-12 19:00]

2009-03-21 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-12-12 19:00]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-11056564 - c:\documents and settings\All Users\Application Data\11056564\11056564.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5064
uInternet Connection Wizard,ShellNext = hxxp://clienturls.aol.com/safety/us/securitycenter/migration_asp2retired
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 16:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\dvd programs\SASWINLO.dll

- - - - - - - > 'explorer.exe'(712)
c:\windows\system32\luyehije.dll
c:\windows\system32\deporare.dll
c:\windows\system32\werepolo.dll
c:\progra~1\MICROS~2\Office12\GRA8E1~1.DLL
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\America Online 9.0\waol.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\AOL\1236233593\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\ehome\ehmsas.exe
c:\program files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-09-03 16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 20:57

Pre-Run: 183,029,211,136 bytes free
Post-Run: 182,997,803,008 bytes free

293 --- E O F --- 2009-03-06 12:00
  • 0

#6
KINNEY1978

KINNEY1978

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I finally got Malawarebytes' Anti-Malaware to run fully.

Here is the log plus an updated ComboFix log.

Malwarebytes' Anti-Malware 1.40
Database version: 2737
Windows 5.1.2600 Service Pack 2

9/3/2009 5:38:12 PM
mbam-log-2009-09-03 (17-38-12).txt

Scan type: Quick Scan
Objects scanned: 102568
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fasapako.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\luyehije.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\werepolo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\deporare.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3958fe57-abb1-4b3c-874d-a6b354d1e86f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3958fe57-abb1-4b3c-874d-a6b354d1e86f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3958fe57-abb1-4b3c-874d-a6b354d1e86f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f05cc67-ea03-401b-b007-d514e19aa4f0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pumayidaja (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\merigijid (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6f05cc67-ea03-401b-b007-d514e19aa4f0} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\remupasez (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\werepolo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\werepolo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: c:\windows\system32\deporare.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo) -> Data: system32\deporare.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\luyehije.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\werepolo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fasapako.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\blyuwrjl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\pvewnn.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pejejuwu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deporare.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mebarepo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


ComboFix 09-09-03.02 - Owner 09/03/2009 17:48.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2037.1549 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-09-03 21:32 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-03 21:32 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 20:48 . 2009-09-03 20:57 -------- d-s---w- C:\kahdah
2009-09-02 01:05 . 2009-09-02 01:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2009-09-01 23:36 . 2009-09-01 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-01 23:36 . 2009-09-01 23:36 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-09-01 23:29 . 2009-09-01 23:29 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\toaster
2009-09-01 23:25 . 2009-09-01 23:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!
2009-09-01 23:25 . 2009-09-02 01:07 -------- d-----w- c:\program files\Yahoo!
2009-09-01 21:27 . 2009-09-01 21:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-01 21:18 . 2009-09-01 21:18 -------- d-----w- c:\program files\MBblah
2009-09-01 21:16 . 2009-09-03 21:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 10:42 . 2009-08-31 10:42 73216 ----a-w- C:\jLg.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 21:53 . 2009-04-12 16:26 -------- d-----w- c:\program files\Steam
2009-09-03 20:50 . 2009-03-05 13:54 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView
2009-09-02 20:39 . 2009-03-05 06:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-02 20:39 . 2009-03-05 06:18 -------- d-----w- c:\program files\McAfee
2009-09-01 23:22 . 2009-04-05 19:04 7912 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-31 22:38 . 2009-04-26 19:31 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
.

------- Sigcheck -------

[-] 2005-03-14 01:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2gdr\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp2qfe\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3gdr\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\SoftwareDistribution\Download\ad744bdeedce85bf37a096f34577ff3a\sp3qfe\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[-] 2005-03-14 00:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot_2009-09-03_20.55.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-03 21:53 . 2009-09-03 21:53 16384 c:\windows\temp\Perflib_Perfdata_70c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-13 1217784]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"SpybotSD TeaTimer"="c:\dvd programs\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AOL Fast Start"="c:\program files\America Online 9.0\AOL.EXE" [2005-07-26 50776]
"SUPERAntiSpyware"="c:\dvd programs\SUPERAntiSpyware.exe" [2009-08-05 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2007-01-22 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-01-22 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-01-22 114688]
"HostManager"="c:\program files\Common Files\AOL\1236233593\ee\AOLSoftware.exe" [2006-03-10 48280]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-08-27 139264]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-12 139264]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-10-28 8740864]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-06 148888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - c:\dvd programs\WZQKPICK.EXE [2008-9-10 525664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\dvd programs\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\dvd programs\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfehidk.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mferkdk.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mfetdik.sys]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1236233593\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\DVD PROGRAMS\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe"=

R1 SASDIFSV;SASDIFSV;c:\dvd programs\sasdifsv.sys [8/5/2009 4:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\dvd programs\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
R3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [4/12/2009 12:47 PM 457856]
S3 SASENUM;SASENUM;c:\dvd programs\SASENUM.SYS [8/5/2009 4:06 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
*Deregistered* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder

2009-09-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-03-08 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-12-12 19:00]

2009-03-16 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-12-12 19:00]

2009-03-21 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-12-12 19:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3958fe57-abb1-4b3c-874d-a6b354d1e86f} - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5064
uInternet Connection Wizard,ShellNext = hxxp://clienturls.aol.com/safety/us/securitycenter/migration_asp2retired
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 17:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\dvd programs\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1956)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\America Online 9.0\waol.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\AOL\1236233593\EE\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\wdfmgr.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\dllhost.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\America Online 9.0\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-09-03 17:55 - machine was rebooted
ComboFix-quarantined-files-A.txt 2009-09-03 20:57
ComboFix-quarantined-files.txt 2009-09-03 21:55

Pre-Run: 182,959,226,880 bytes free
Post-Run: 182,678,945,792 bytes free

193 --- E O F --- 2009-03-06 12:00
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
As a final check - Please perform the following online scan:

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#8
KINNEY1978

KINNEY1978

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I'm sorry to report that the program was unsuccessful.

I downloaded the program and ran it. It found 7 items the first time and 5 the next. I followed the steps, however, it did not offer a log at the end as described, only offered for me to use a 30 day trial or purchase.

I tried the 30 day trial and still nothing.
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try this one please.

Please go HERE to run Panda's ActiveScan 2.0
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the yellow bar to install the active x control.
  • Then click Install.
  • It will begin to download and scan.
  • When the scan completes, click on the Export now button then save the file to your desktop.
  • Close Active scan 2.0
  • Please post the contents of the log here in your next reply.

  • 0

#10
KINNEY1978

KINNEY1978

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here you go. I attached it instead of pasting it. When I pasted it was all distorted.

Attached Files


  • 0

#11
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please submit the following files to one of these online file scanners.
(All you have to do is copy and paste the file path into the box when you click on Browse then once you have done that click on the open button then submit)

c:\windows\system32\drivers\tcpip.sys
c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys


Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP