Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Vundo.IS

Started by mutex , Nov 27 2009 06:28 PM

Please log in to reply

#1
mutex

Posted 27 November 2009 - 06:28 PM

Member

Member
16 posts

I am trying to help a friend with his computer. He is unable to boot into safemode despite trying SafeBootKeyRepair.exe. He doesn't have a Windows XP Home disk. I assume the safemode issue may be related to atapi.sys. Can I copy this file from a Windows XP Pro system?

I have also run TFC and OTL. I was unable to run RootRepeal.

I can boot into normal mode on his Windows XP Home SP 3 computer and now that I've cleaned things up everything seems to run fine (in normal mode) until I try to install and run any anti-virus software. We have tried the latest version of Norton and AVG. AVG says he has the Vundo.IS trojan. When anti-virus is installed the system slows way down and when trying to open Internet Explorer we get multiple pop-ups saying Internet Explorer can't find some jibberish address. Closing these pop-ups causes a new IE page to load. If I close the windows using F-4 I can get IE to finally open up properly. IE will not work when I try to run it without add-ons.

Folowing is the info file generated by OTL:

OTL logfile created on: 11/27/2009 1:00:51 PM - Run 1
OTL by OldTimer - Version 3.1.10.1 Folder = C:\Documents and Settings\Carl_2\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

255.00 Mb Total Physical Memory | 92.85 Mb Available Physical Memory | 36.41% Memory free
624.50 Mb Paging File | 470.86 Mb Available in Paging File | 75.40% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 64.44 Gb Free Space | 86.54% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DCD9SH41
Current User Name: Carl_2
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/11/25 20:40:09 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl_2\Desktop\OTL.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/02/06 04:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\WBEM\wmiprvse.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/10/30 08:06:02 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\SYSTEM32\nvsvc32.exe
PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
PRC - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe

========== Modules (SafeList) ==========

MOD - [2009/11/25 20:40:09 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl_2\Desktop\OTL.exe
MOD - [2008/04/13 18:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 18:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SYSTEM32\WBEM\framedyn.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/05/19 10:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 18:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2006/10/18 19:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2003/10/30 08:06:02 | 00,073,728 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\SYSTEM32\nvsvc32.exe -- (NVSvc)
SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM)
SRV - [2003/05/31 18:02:32 | 07,544,916 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -- (MSSQL$MICROSOFTBCM)
SRV - [2003/03/03 13:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2002/12/17 19:23:30 | 00,311,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -- (SQLAgent$MICROSOFTBCM)
SRV - [2002/12/17 19:23:30 | 00,066,112 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe -- (MSSQLServerADHelper)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/09/26 01:35:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/11/24 17:14:41 | 00,000,000 | ---D | M]

[2009/09/26 01:38:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Mozilla\Extensions
[2009/09/26 01:38:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Mozilla\Extensions\[email protected]

O1 HOSTS File: (736 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (IEWatchObj Class) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM32\IETie.dll (Tenebril Incorporated)
O2 - BHO: (no name) - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - No CLSID value found.
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: wininet.dll = regperf.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: kernel32.dll = C:\WINDOWS\system32\atmclk.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run: dcomcfg.exe = dcomcfg.exe
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFolderOptions = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE File not found
O9 - Extra Button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe File not found
O9 - Extra 'Tools' menuitem : GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe File not found
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: ([]msn in My Computer)
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} http://dl.filekicker...IL/PhPSetup.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} http://zone.msn.com/...me/ZAxRcMgr.cab (ZoneAxRcMgr Class)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://zone.msn.com/...ro.cab32846.cab (ZoneIntro Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macr...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - AppInit_DLLs: (c:\windows\system32\zebeduwi.dll) - C:\WINDOWS\System32\zebeduwi.dll File not found
O20 - AppInit_DLLs: (gatotafi.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\sikasiso.dll) - C:\WINDOWS\System32\sikasiso.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\mavozebu.dll) - C:\WINDOWS\System32\mavozebu.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\yivozizi.dll) - C:\WINDOWS\System32\yivozizi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\yetujigi.dll) - C:\WINDOWS\System32\yetujigi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\doheyesi.dll) - C:\WINDOWS\System32\doheyesi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\sejuvoma.dll) - C:\WINDOWS\System32\sejuvoma.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\sazujimo.dll) - C:\WINDOWS\System32\sazujimo.dll File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O21 - SSODL: bagumukem - {de84e745-c6f3-4d2c-a8e9-c34fcaa8279c} - C:\WINDOWS\System32\zebeduwi.dll File not found
O21 - SSODL: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - C:\WINDOWS\System32\mzoeut.dll File not found
O21 - SSODL: julamiwin - {a9251689-cea1-4b27-8199-87b29d962f6d} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: kemavudej - {2bd586b5-8859-404c-9139-d991bb5dc4f4} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: nogigihat - {74ed7f2a-f567-40d6-9391-c6fa51a38ed2} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: nuzolumak - {ae50fe75-c529-4388-942e-c7bcd0e10119} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: tohufigev - {141b1add-9210-436c-8a63-c34d242e1c8c} - CLSID or File not found.
O21 - SSODL: tubolekid - {cf7ba15c-75e4-4b89-a252-25d15a1ca60d} - C:\WINDOWS\System32\sazujimo.dll File not found
O22 - SharedTaskScheduler: {141b1add-9210-436c-8a63-c34d242e1c8c} - jugezatag - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {2bd586b5-8859-404c-9139-d991bb5dc4f4} - mujuzedij - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {74ed7f2a-f567-40d6-9391-c6fa51a38ed2} - jugezatag - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {a9251689-cea1-4b27-8199-87b29d962f6d} - kupuhivus - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {ae50fe75-c529-4388-942e-c7bcd0e10119} - kupuhivus - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {cf7ba15c-75e4-4b89-a252-25d15a1ca60d} - kupuhivus - C:\WINDOWS\System32\sazujimo.dll File not found
O22 - SharedTaskScheduler: {de84e745-c6f3-4d2c-a8e9-c34fcaa8279c} - tokatiluy - C:\WINDOWS\System32\zebeduwi.dll File not found
O22 - SharedTaskScheduler: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - Reg Error: Key error. File not found
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2002/09/03 08:59:58 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2004/03/15 15:29:54 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\SYSTEM32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (66713185842888704)

========== Files/Folders - Created Within 14 Days ==========

[2009/11/27 12:56:06 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Carl_2\Desktop\RootRepeal.exe
[2009/11/27 12:55:53 | 00,531,456 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Carl_2\Desktop\OTL.exe
[2009/11/27 12:55:40 | 00,341,504 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Carl_2\Desktop\TFC.exe
[2009/11/27 12:54:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Carl_2\Desktop\geekstogo
[2009/11/27 12:20:35 | 00,000,000 | ---D | C] -- C:\Program Files\LimeWire
[2009/11/24 17:54:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Carl_2\Desktop\hold
[2009/11/20 13:34:56 | 00,000,000 | ---D | C] -- C:\Program Files\Symantec
[2009/11/20 13:31:07 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Sidebar
[2009/11/20 13:30:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/11/20 13:29:57 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2009/11/20 13:22:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Carl_2\Local Settings\Application Data\ICS
[2009/11/19 15:31:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2009/11/19 14:43:35 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\XPSViewer
[2009/11/19 14:43:26 | 00,000,000 | ---D | C] -- C:\Program Files\MSBuild
[2009/11/19 14:42:05 | 00,000,000 | ---D | C] -- C:\Program Files\Reference Assemblies
[2009/11/19 14:37:30 | 00,000,000 | ---D | C] -- C:\289395e755978cf54a

========== Files - Modified Within 14 Days ==========

[2099/01/01 12:00:00 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\mesafari.dll
[2009/11/27 13:00:16 | 00,001,170 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009/11/27 13:00:02 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gmksjbrf.job
[2009/11/27 13:00:02 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\bhzbridu.job
[2009/11/27 13:00:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/27 12:59:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009/11/27 12:59:56 | 26,745,6512 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/27 12:59:17 | 03,145,728 | -H-- | M] () -- C:\Documents and Settings\Carl_2\NTUSER.DAT
[2009/11/27 12:59:17 | 00,000,178 | -HS- | M] () -- C:\Documents and Settings\Carl_2\NTUSER.INI
[2009/11/27 12:20:58 | 00,001,578 | ---- | M] () -- C:\Documents and Settings\Carl_2\Desktop\LimeWire 5.3.6.lnk
[2009/11/27 10:00:00 | 00,000,362 | ---- | M] () -- C:\WINDOWS\tasks\Symantec NetDetect.job
[2009/11/27 07:33:30 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{1FA8223A-7822-4CA4-A437-05A7F15EC3DD}.job
[2009/11/25 20:42:23 | 00,341,504 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl_2\Desktop\TFC.exe
[2009/11/25 20:40:09 | 00,531,456 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Carl_2\Desktop\OTL.exe
[2009/11/25 20:38:17 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Carl_2\Desktop\RootRepeal.exe
[2009/11/25 13:22:47 | 00,000,501 | ---- | M] () -- C:\WINDOWS\WIN.INI
[2009/11/25 13:22:47 | 00,000,227 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2009/11/25 13:22:47 | 00,000,211 | RHS- | M] () -- C:\BOOT.INI
[2009/11/24 17:20:42 | 00,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/24 17:18:32 | 00,531,296 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/24 17:18:32 | 00,461,858 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009/11/24 17:18:32 | 00,079,554 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009/11/24 16:27:23 | 06,911,722 | -H-- | M] () -- C:\Documents and Settings\Carl_2\Local Settings\Application Data\IconCache.db
[2009/11/24 15:55:55 | 00,001,068 | ---- | M] () -- C:\dmg5.reg
[2009/11/24 15:48:01 | 00,001,236 | ---- | M] () -- C:\dmg4.reg
[2009/11/24 15:23:08 | 00,028,454 | ---- | M] () -- C:\dmg11093.reg
[2009/11/24 14:12:41 | 00,001,494 | ---- | M] () -- C:\dmg11092.reg
[2009/11/24 14:11:48 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/11/24 14:11:48 | 00,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2009/11/24 14:10:56 | 00,003,444 | ---- | M] () -- C:\dmg112409.reg
[2009/11/21 11:28:51 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\kebozada
[2009/11/20 13:34:56 | 00,124,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\drivers\SYMEVENT.SYS
[2009/11/20 13:34:56 | 00,060,808 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\System32\S32EVNT1.DLL
[2009/11/20 13:34:56 | 00,007,443 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/11/20 13:34:56 | 00,000,805 | ---- | M] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/11/20 12:49:33 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\fonoriga.dll
[2009/11/19 15:11:26 | 00,243,920 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/19 14:48:06 | 00,062,936 | ---- | M] () -- C:\Documents and Settings\Carl_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/18 09:00:04 | 00,052,736 | -HS- | M] () -- C:\WINDOWS\System32\rivesogo.dll

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\mesafari.dll
[2009/11/27 12:20:58 | 00,001,578 | ---- | C] () -- C:\Documents and Settings\Carl_2\Desktop\LimeWire 5.3.6.lnk
[2009/11/24 17:09:10 | 01,089,593 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ntprint.cat
[2009/11/24 15:55:55 | 00,001,068 | ---- | C] () -- C:\dmg5.reg
[2009/11/24 15:47:59 | 00,001,236 | ---- | C] () -- C:\dmg4.reg
[2009/11/24 15:23:08 | 00,028,454 | ---- | C] () -- C:\dmg11093.reg
[2009/11/24 14:12:41 | 00,001,494 | ---- | C] () -- C:\dmg11092.reg
[2009/11/24 14:10:56 | 00,003,444 | ---- | C] () -- C:\dmg112409.reg
[2009/11/21 07:11:01 | 00,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2009/11/21 07:10:59 | 00,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2009/11/20 13:34:59 | 00,007,443 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.CAT
[2009/11/20 13:34:59 | 00,000,805 | ---- | C] () -- C:\WINDOWS\System32\drivers\SYMEVENT.INF
[2009/11/20 12:49:33 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\fonoriga.dll
[2009/11/18 09:00:04 | 00,052,736 | -HS- | C] () -- C:\WINDOWS\System32\rivesogo.dll
[2009/10/01 09:23:45 | 00,000,343 | ---- | C] () -- C:\WINDOWS\MIDASWIN.INI
[2009/10/01 09:23:17 | 00,000,079 | ---- | C] () -- C:\WINDOWS\SETUPWIZ.INI
[2009/09/16 20:13:31 | 00,045,568 | ---- | C] () -- C:\Documents and Settings\Carl_2\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/16 06:21:06 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\Carl_2\Application Data\DESKTOP.INI
[2009/09/16 06:21:04 | 00,062,936 | ---- | C] () -- C:\Documents and Settings\Carl_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/09/16 06:21:03 | 06,911,722 | -H-- | C] () -- C:\Documents and Settings\Carl_2\Local Settings\Application Data\IconCache.db
[2006/06/29 14:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 14:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 15:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2005/03/25 17:28:02 | 00,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2004/12/25 18:40:08 | 00,000,011 | ---- | C] () -- C:\WINDOWS\PrintWorkShop2005.ini
[2004/11/14 16:44:19 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2004/11/07 19:21:14 | 00,186,880 | ---- | C] () -- C:\WINDOWS\System32\encdec.dll
[2004/11/07 19:21:12 | 00,270,848 | ---- | C] () -- C:\WINDOWS\System32\sbe.dll
[2004/11/07 19:19:01 | 00,070,656 | ---- | C] () -- C:\WINDOWS\System32\amstream.dll
[2004/11/07 19:18:55 | 00,252,928 | ---- | C] () -- C:\WINDOWS\System32\compatui.dll
[2004/11/07 19:18:51 | 00,059,904 | ---- | C] () -- C:\WINDOWS\System32\devenum.dll
[2004/11/07 19:18:45 | 00,498,742 | ---- | C] () -- C:\WINDOWS\System32\dxmasf.dll
[2004/11/07 19:18:32 | 00,035,328 | ---- | C] () -- C:\WINDOWS\System32\mciqtz32.dll
[2004/11/07 19:18:25 | 00,014,336 | ---- | C] () -- C:\WINDOWS\System32\msdmo.dll
[2004/11/07 19:18:24 | 00,004,126 | ---- | C] () -- C:\WINDOWS\System32\msdxmlc.dll
[2004/11/07 19:17:47 | 00,386,048 | ---- | C] () -- C:\WINDOWS\System32\qdvd.dll
[2004/11/07 19:17:47 | 00,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2004/11/07 19:17:47 | 00,279,040 | ---- | C] () -- C:\WINDOWS\System32\qdv.dll
[2004/11/07 19:17:47 | 00,192,512 | ---- | C] () -- C:\WINDOWS\System32\qcap.dll
[2004/11/07 19:17:46 | 01,291,264 | ---- | C] () -- C:\WINDOWS\System32\quartz.dll
[2004/11/07 19:17:46 | 00,733,696 | ---- | C] () -- C:\WINDOWS\System32\qedwipes.dll
[2004/11/07 19:17:46 | 00,562,176 | ---- | C] () -- C:\WINDOWS\System32\qedit.dll
[2004/11/07 19:17:28 | 00,053,478 | ---- | C] () -- C:\WINDOWS\System32\tcpmon.ini
[2004/11/07 19:16:48 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2004/06/09 11:45:54 | 00,355,112 | ---- | C] () -- C:\WINDOWS\System32\msjetoledb40.dll
[2004/06/04 16:37:33 | 00,000,057 | ---- | C] () -- C:\WINDOWS\uilib.INI
[2004/05/17 16:43:09 | 00,035,424 | ---- | C] () -- C:\WINDOWS\System32\ntio412.sys
[2004/05/17 16:43:07 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio404.sys
[2004/05/17 16:43:06 | 00,034,560 | ---- | C] () -- C:\WINDOWS\System32\ntio804.sys
[2004/05/17 16:43:04 | 00,035,648 | ---- | C] () -- C:\WINDOWS\System32\ntio411.sys
[2004/05/17 16:43:02 | 00,033,840 | ---- | C] () -- C:\WINDOWS\System32\ntio.sys
[2004/05/04 20:29:55 | 00,000,399 | ---- | C] () -- C:\WINDOWS\Belt.ini
[2004/04/03 18:42:30 | 00,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2004/04/03 18:42:30 | 00,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2004/04/03 18:38:56 | 00,000,196 | ---- | C] () -- C:\WINDOWS\EPSON RX500 Installer.ini
[2004/03/21 15:10:48 | 00,000,847 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2004/03/21 13:09:06 | 00,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2004/03/15 16:28:35 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004/03/15 16:16:50 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/03/15 16:05:33 | 00,000,184 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2004/03/15 16:02:10 | 00,000,903 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/03/15 15:45:44 | 00,531,296 | ---- | C] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2004/03/15 15:32:28 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2003/11/18 09:03:28 | 00,200,704 | --S- | C] () -- C:\WINDOWS\System32\archlib.dll
[2002/09/03 08:59:58 | 00,000,501 | ---- | C] () -- C:\WINDOWS\WIN.INI
[2002/09/03 08:59:58 | 00,000,000 | ---- | C] () -- C:\WINDOWS\CONTROL.INI
[2002/09/03 08:59:14 | 00,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2002/09/03 08:56:20 | 00,000,037 | ---- | C] () -- C:\WINDOWS\VBADDIN.INI
[2002/09/03 08:56:20 | 00,000,036 | ---- | C] () -- C:\WINDOWS\VB.INI
[2002/09/03 08:50:58 | 00,000,227 | ---- | C] () -- C:\WINDOWS\SYSTEM.INI
[2002/09/03 08:50:46 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
[2002/08/29 05:00:00 | 01,015,477 | ---- | C] () -- C:\WINDOWS\System32\ESENTPRF.INI
[2002/08/29 05:00:00 | 00,199,168 | ---- | C] () -- C:\WINDOWS\System32\IR32_32.DLL
[2002/08/29 05:00:00 | 00,157,696 | ---- | C] () -- C:\WINDOWS\System32\PAQSP.DLL
[2002/08/29 05:00:00 | 00,094,282 | ---- | C] () -- C:\WINDOWS\System32\MSENCODE.DLL
[2002/08/29 05:00:00 | 00,042,809 | ---- | C] () -- C:\WINDOWS\System32\KEY01.SYS
[2002/08/29 05:00:00 | 00,042,537 | ---- | C] () -- C:\WINDOWS\System32\KEYBOARD.SYS
[2002/08/29 05:00:00 | 00,029,370 | ---- | C] () -- C:\WINDOWS\System32\NTDOS411.SYS
[2002/08/29 05:00:00 | 00,029,274 | ---- | C] () -- C:\WINDOWS\System32\NTDOS412.SYS
[2002/08/29 05:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\NTDOS804.SYS
[2002/08/29 05:00:00 | 00,029,146 | ---- | C] () -- C:\WINDOWS\System32\NTDOS404.SYS
[2002/08/29 05:00:00 | 00,027,866 | ---- | C] () -- C:\WINDOWS\System32\NTDOS.SYS
[2002/08/29 05:00:00 | 00,027,097 | ---- | C] () -- C:\WINDOWS\System32\COUNTRY.SYS
[2002/08/29 05:00:00 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\TSD32.DLL
[2002/08/29 05:00:00 | 00,013,312 | ---- | C] () -- C:\WINDOWS\System32\WIN87EM.DLL
[2002/08/29 05:00:00 | 00,013,223 | ---- | C] () -- C:\WINDOWS\System32\TSLABELS.INI
[2002/08/29 05:00:00 | 00,012,082 | ---- | C] () -- C:\WINDOWS\System32\RSVP.INI
[2002/08/29 05:00:00 | 00,009,029 | ---- | C] () -- C:\WINDOWS\System32\ANSI.SYS
[2002/08/29 05:00:00 | 00,006,877 | ---- | C] () -- C:\WINDOWS\System32\PSCHDPRF.INI
[2002/08/29 05:00:00 | 00,004,768 | ---- | C] () -- C:\WINDOWS\System32\HIMEM.SYS
[2002/08/29 05:00:00 | 00,003,458 | ---- | C] () -- C:\WINDOWS\System32\RASCTRS.INI
[2002/08/29 05:00:00 | 00,002,891 | ---- | C] () -- C:\WINDOWS\System32\PERFCI.INI
[2002/08/29 05:00:00 | 00,002,732 | ---- | C] () -- C:\WINDOWS\System32\PERFWCI.INI
[2002/08/29 05:00:00 | 00,001,931 | ---- | C] () -- C:\WINDOWS\System32\MSDTCPRF.INI
[2002/08/29 05:00:00 | 00,001,405 | ---- | C] () -- C:\WINDOWS\MSDFMAP.INI
[2002/08/29 05:00:00 | 00,001,152 | ---- | C] () -- C:\WINDOWS\System32\PERFFILT.INI
[2002/08/29 05:00:00 | 00,000,343 | ---- | C] () -- C:\WINDOWS\System32\PRODSPEC.INI
[1980/01/01 00:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2009/10/01 09:42:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2004/11/14 16:45:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOL
[2005/06/20 21:33:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Dell
[2005/05/21 03:47:01 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\GTek
[2009/09/16 06:10:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Kodak
[2009/09/16 19:16:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/09/26 01:18:26 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2004/05/19 14:27:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2009/11/24 16:28:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Norton
[2009/11/20 13:29:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2004/11/26 19:05:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2004/03/15 16:08:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\QuickTime
[2004/03/15 16:03:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBSI
[2009/11/20 13:05:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Symantec
[2004/03/15 16:08:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2006/07/16 10:48:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/11/19 14:44:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2009/10/15 09:33:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Adobe
[2009/09/16 06:21:53 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\Carl_2\Application Data\Gtek
[2009/09/25 14:19:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Help
[2004/03/15 15:31:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Identities
[2004/03/15 16:14:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Jasc Software Inc
[2009/11/27 12:40:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\LimeWire
[2004/02/22 23:02:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Macromedia
[2009/09/16 19:17:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Malwarebytes
[2004/02/23 00:42:15 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Carl_2\Application Data\Microsoft
[2009/09/26 01:38:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Mozilla
[2004/02/24 05:42:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\MSN6
[2004/03/15 16:08:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Real
[2004/03/15 16:10:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Sonic
[2004/03/15 15:54:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Sun
[2004/03/15 16:24:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Symantec
[2009/09/24 14:21:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\U3
[2009/11/19 15:14:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Carl_2\Application Data\Yahoo!
[2009/11/27 13:00:02 | 00,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\bhzbridu.job
[2002/08/29 05:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\DESKTOP.INI
[2009/11/27 13:00:02 | 00,000,296 | ---- | M] () -- C:\WINDOWS\Tasks\gmksjbrf.job
[2009/11/27 13:00:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT
[2009/11/27 10:00:00 | 00,000,362 | ---- | M] () -- C:\WINDOWS\Tasks\Symantec NetDetect.job
[2009/11/27 07:33:30 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{1FA8223A-7822-4CA4-A437-05A7F15EC3DD}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

[1 C:\I386\*.tmp files -> C:\I386\*.tmp -> ]
[1 C:\I386\*.tmp files -> C:\I386\*.tmp -> ]
[1 C:\I386\*.tmp files -> C:\I386\*.tmp -> ]
[1 C:\I386\*.tmp files -> C:\I386\*.tmp -> ]
[1 C:\I386\*.tmp files -> C:\I386\*.tmp -> ]

< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004/08/04 00:07:41 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2001/08/17 13:58:00 | 00,025,472 | ---- | M] (Microsoft Corporation) MD5=65880045C51AA36184841CEE915A61DF -- C:\I386\AGP440.SYS

< MD5 for: ATAPI.SYS >
[2002/08/29 01:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2002/08/29 01:27:50 | 00,086,912 | ---- | M] (Microsoft Corporation) MD5=95B858761A00E1D4F81F79A0DA019ACA -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 23:59:42 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2003/04/23 09:29:54 | 00,087,296 | ---- | M] (Microsoft Corporation) MD5=E52B3B3F78C9AE85806CE49DCDD80C18 -- C:\I386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004/08/04 01:56:42 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2002/08/29 05:00:00 | 00,049,152 | ---- | M] (Microsoft Corporation) MD5=BF3C8CF53C77B48206B39910B6D6CBCC -- C:\I386\EVENTLOG.DLL

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2002/08/29 05:00:00 | 00,399,360 | ---- | M] (Microsoft Corporation) MD5=3ADD563ED7A1C66E6F5E0F7A661AA96D -- C:\I386\NETLOGON.DLL
[2009/02/06 12:46:09 | 00,408,064 | ---- | M] (Microsoft Corporation) MD5=6C476D33D82F1054849790181E8F7772 -- C:\WINDOWS\$hf_mig$\KB968389\SP2QFE\netlogon.dll
[2004/08/04 01:56:44 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:44 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2002/08/29 05:00:00 | 00,174,592 | ---- | M] (Microsoft Corporation) MD5=97418A5C642A5C748A28BD7CF6860B57 -- C:\I386\SCECLI.DLL
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll
< End of report >

Thank you for any help you can provide.

#2
kahdah

Posted 27 November 2009 - 06:47 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello mutex

Welcome to G2Go.

=====================
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
IE- HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll File not found
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - No CLSID value found.
O2 - BHO: (no name) - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} - No CLSID value found.
O20 - AppInit_DLLs: (c:\windows\system32\zebeduwi.dll) - C:\WINDOWS\System32\zebeduwi.dll File not found
O20 - AppInit_DLLs: (gatotafi.dll) - File not found
O20 - AppInit_DLLs: (c:\windows\system32\sikasiso.dll) - C:\WINDOWS\System32\sikasiso.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\mavozebu.dll) - C:\WINDOWS\System32\mavozebu.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\yivozizi.dll) - C:\WINDOWS\System32\yivozizi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\yetujigi.dll) - C:\WINDOWS\System32\yetujigi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\doheyesi.dll) - C:\WINDOWS\System32\doheyesi.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\sejuvoma.dll) - C:\WINDOWS\System32\sejuvoma.dll File not found
O20 - AppInit_DLLs: (c:\windows\system32\sazujimo.dll) - C:\WINDOWS\System32\sazujimo.dll File not found
O21 - SSODL: bagumukem - {de84e745-c6f3-4d2c-a8e9-c34fcaa8279c} - C:\WINDOWS\System32\zebeduwi.dll File not found
O21 - SSODL: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - C:\WINDOWS\System32\mzoeut.dll File not found
O21 - SSODL: julamiwin - {a9251689-cea1-4b27-8199-87b29d962f6d} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: kemavudej - {2bd586b5-8859-404c-9139-d991bb5dc4f4} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: nogigihat - {74ed7f2a-f567-40d6-9391-c6fa51a38ed2} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: nuzolumak - {ae50fe75-c529-4388-942e-c7bcd0e10119} - C:\WINDOWS\System32\doheyesi.dll File not found
O21 - SSODL: tohufigev - {141b1add-9210-436c-8a63-c34d242e1c8c} - CLSID or File not found.
O21 - SSODL: tubolekid - {cf7ba15c-75e4-4b89-a252-25d15a1ca60d} - C:\WINDOWS\System32\sazujimo.dll File not found
O22 - SharedTaskScheduler: {141b1add-9210-436c-8a63-c34d242e1c8c} - jugezatag - Reg Error: Key error. File not found
O22 - SharedTaskScheduler: {2bd586b5-8859-404c-9139-d991bb5dc4f4} - mujuzedij - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {74ed7f2a-f567-40d6-9391-c6fa51a38ed2} - jugezatag - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {a9251689-cea1-4b27-8199-87b29d962f6d} - kupuhivus - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {ae50fe75-c529-4388-942e-c7bcd0e10119} - kupuhivus - C:\WINDOWS\System32\doheyesi.dll File not found
O22 - SharedTaskScheduler: {cf7ba15c-75e4-4b89-a252-25d15a1ca60d} - kupuhivus - C:\WINDOWS\System32\sazujimo.dll File not found
O22 - SharedTaskScheduler: {de84e745-c6f3-4d2c-a8e9-c34fcaa8279c} - tokatiluy - C:\WINDOWS\System32\zebeduwi.dll File not found
O22 - SharedTaskScheduler: cholecyst - {ee2975b6-e8d5-405e-8448-8fe9590f6cfb} - Reg Error: Key error. File not found
[2009/11/21 11:28:51 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\kebozada
[2009/11/20 12:49:33 | 00,039,424 | -HS- | M] () -- C:\WINDOWS\System32\fonoriga.dll
[2009/11/18 09:00:04 | 00,052,736 | -HS- | M] () -- C:\WINDOWS\System32\rivesogo.dll
[2009/11/27 13:00:02 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\gmksjbrf.job
[2009/11/27 13:00:02 | 00,000,296 | ---- | M] () -- C:\WINDOWS\tasks\bhzbridu.job
[2009/11/20 12:49:33 | 00,039,424 | -HS- | C] () -- C:\WINDOWS\System32\fonoriga.dll

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

==============
Please visit this webpage for download links, and instructions for running ComboFix.exe:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

#3
mutex

Posted 27 November 2009 - 07:26 PM

Member

Topic Starter
Member
16 posts

I will try to do this tomorrow. My friend's computer is at a different location so take this into account when giving me instructions.

Do I need to rename ComboFix before runing it?

Thanks for you help.

David

#4
kahdah

Posted 28 November 2009 - 08:46 AM

GeekU Teacher

Retired Staff
15,822 posts

No you do not need to rename it before running it.

#5
mutex

Posted 28 November 2009 - 01:46 PM

Member

Topic Starter
Member
16 posts

I ran the OTL fix as you requested and then ran ComboFix. Please see the attached log files. Both ran without a hitch. I then rebooted the computer just to check and I still can't enter Safe Mode. I still get the standard BSOD.

I await your further instructions.

Attached Files

OTL.Txt 68.47KB 91 downloads
ComboFix.txt 11.43KB 89 downloads

#6
kahdah

Posted 28 November 2009 - 05:53 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::Fcopy::c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\SYSTEM32\DRIVERS\atapi.sysc:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sysc:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

=============

#7
mutex

Posted 29 November 2009 - 01:30 PM

Member

Topic Starter
Member
16 posts

I ran the ComboFix scan with the code as you suggested. It seems like everything may be fixed now. I can get into Safe Mode. I installed AVG and it seems to be working too. When I go online I no longer get popup windows or error messages.

Check out the ComboFix log below and let me know if anything further needs to be done.

Thanks for all your help. You guys are GREAT!!!

ComboFix 09-11-28.04 - Carl_2 11/29/2009 12:12.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.131 [GMT -6:00]
Running from: c:\dmg hold\ComboFix.exe
Command switches used :: c:\dmg hold\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\SYSTEM32\DRIVERS\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\SYSTEM32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\SYSTEM32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-28 to 2009-11-29 )))))))))))))))))))))))))))))))
.

2009-11-28 19:50 . 2009-11-28 19:50 -------- d-----w- c:\documents and settings\Carl_2\Local Settings\Application Data\Yahoo!
2009-11-28 18:55 . 2009-11-28 18:55 -------- d-----w- C:\_OTL
2009-11-27 18:20 . 2009-11-27 18:20 -------- d-----w- c:\program files\LimeWire
2009-11-24 23:54 . 2009-11-29 18:11 -------- d-----w- C:\DMG hold
2009-11-24 21:55 . 2009-11-24 21:55 1068 ----a-w- C:\dmg5.reg
2009-11-24 21:47 . 2009-11-24 21:48 1236 ----a-w- C:\dmg4.reg
2009-11-24 21:23 . 2009-11-24 21:23 28454 ----a-w- C:\dmg11093.reg
2009-11-24 20:12 . 2009-11-24 20:12 1494 ----a-w- C:\dmg11092.reg
2009-11-24 20:10 . 2009-11-24 20:10 3444 ----a-w- C:\dmg112409.reg
2009-11-20 19:34 . 2009-11-20 19:35 -------- d-----w- c:\program files\Symantec
2009-11-20 19:31 . 2009-11-20 19:31 -------- d-----w- c:\program files\Windows Sidebar
2009-11-20 19:30 . 2009-11-24 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-11-20 19:29 . 2009-11-20 19:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-20 19:22 . 2009-11-20 19:22 -------- d-----w- c:\documents and settings\Carl_2\Local Settings\Application Data\ICS
2009-11-19 21:31 . 2009-11-19 21:32 -------- d-----w- c:\windows\system32\NtmsData
2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\windows\system32\XPSViewer
2009-11-19 20:43 . 2009-11-19 20:43 -------- d-----w- c:\program files\MSBuild
2009-11-19 20:42 . 2009-11-19 20:42 -------- d-----w- c:\program files\Reference Assemblies
2009-11-19 20:37 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-11-19 20:37 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-11-19 20:37 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-11-19 20:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-11-19 20:37 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-11-19 20:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-11-19 20:37 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-11-19 20:37 . 2009-11-19 20:40 -------- d-----w- C:\289395e755978cf54a
2009-11-10 12:20 . 2009-11-10 12:20 -------- d-----w- c:\documents and settings\Carl_2\Local Settings\Application Data\Dell
2009-11-07 00:16 . 2009-11-19 20:32 -------- d-----w- c:\program files\Angle Interactive
2009-11-07 00:16 . 2009-11-07 00:16 -------- d-----w- C:\ProgramData
2009-11-03 03:54 . 2009-11-03 03:54 152576 ----a-w- c:\documents and settings\Carl_2\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-28 19:36 . 2009-09-16 12:21 62936 ----a-w- c:\documents and settings\Carl_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-27 20:10 . 2009-09-17 00:13 -------- d-----w- c:\program files\AVG
2009-11-27 18:40 . 2009-09-26 07:37 -------- d-----w- c:\documents and settings\Carl_2\Application Data\LimeWire
2009-11-27 17:01 . 2004-02-24 14:24 -------- d-----w- c:\program files\PokerStars
2009-11-24 22:34 . 2004-03-15 22:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-20 19:34 . 2009-11-20 19:34 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-20 19:34 . 2009-11-20 19:34 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-20 19:34 . 2004-03-15 22:24 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-20 19:34 . 2004-03-15 22:24 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-20 19:05 . 2004-03-15 22:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-19 21:26 . 2009-09-26 07:08 -------- d-----w- c:\program files\Windows Live
2009-11-19 21:14 . 2009-09-22 21:10 -------- d-----w- c:\documents and settings\Carl_2\Application Data\Yahoo!
2009-11-19 20:53 . 2004-03-15 22:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-19 20:53 . 2004-04-04 00:39 -------- d-----w- c:\program files\EPSON
2009-11-19 20:44 . 2009-09-22 21:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-11-19 20:44 . 2004-09-11 03:08 -------- d-----w- c:\program files\Yahoo!
2009-11-03 04:01 . 2004-03-15 21:54 -------- d-----w- c:\program files\Java
2009-10-29 11:01 . 2009-10-24 00:45 -------- d-----w- c:\program files\CS
2009-10-14 00:57 . 2009-10-01 15:23 393216 ------w- c:\windows\Setup1.exe
2009-10-14 00:57 . 2004-07-18 16:07 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-10-14 00:55 . 2009-10-14 00:55 737280 ------w- c:\windows\midaswiz.exe
2009-10-11 10:17 . 2009-09-26 07:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-04 13:26 . 2002-09-03 14:58 79223 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-09-26 07:35 . 2009-09-26 07:35 152576 ----a-w- c:\documents and settings\Carl_2\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-09-19 02:35 . 2009-09-19 02:35 1961720 ----a-w- c:\documents and settings\Carl_2\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-09-11 14:18 . 2004-11-08 01:17 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-11-08 01:18 58880 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-28_19.22.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-29 18:25 . 2009-11-29 18:25 16384 c:\windows\temp\Perflib_Perfdata_1e0.dat
+ 2009-11-29 18:25 . 2009-11-29 18:25 16384 c:\windows\temp\Perflib_Perfdata_140.dat
+ 2004-11-08 01:16 . 2008-04-13 18:40 96512 c:\windows\SYSTEM32\DLLCACHE\atapi.sys
- 2009-11-27 19:05 . 2009-11-28 19:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-11-27 19:05 . 2009-11-29 15:25 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2002-09-03 08:08 . 2009-11-28 19:21 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 08:08 . 2009-11-29 15:25 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2009-11-28 19:21 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2002-09-03 08:08 . 2009-11-29 15:25 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2009-10-04 14:02 . 2009-11-28 19:21 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2009-10-04 14:02 . 2009-11-29 15:25 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Search Protection\\SearchProtection.exe"=
"c:\\WINDOWS\\SYSTEM32\\dpvsetup.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-11-28 c:\windows\Tasks\User_Feed_Synchronization-{1FA8223A-7822-4CA4-A437-05A7F15EC3DD}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: {{578FC4E3-151E-456c-AF8E-B63061EFE228} - c:\program files\GhostSurf\LaunchPCC.exe
IE: {{578FC4E3-151E-456c-AF8E-B63061EFE228}}
TCP: {52CF510E-320E-4A0E-B44E-ED3FF560C646} = 83.149.115.182
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-29 12:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3832)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
c:\windows\System32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-29 12:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-29 18:35
ComboFix2.txt 2009-11-28 19:32

Pre-Run: 68,796,133,376 bytes free
Post-Run: 68,748,591,104 bytes free

- - End Of File - - 2FF6CF628A3067D75DAD9CA0657B6736

#8
kahdah

Posted 29 November 2009 - 04:30 PM

GeekU Teacher

Retired Staff
15,822 posts

Yes just one leftover to delete.
Please delete this filder:
c:\program files\CS
=========================
=======Cleanup=======

Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

======Next======

Download OTC to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.
The link below shows how to do this.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingc...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================
After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...