Infected with trojan.vundo [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Infected with trojan.vundo [Solved] I can't get windows automatic updates.

#1 pixman

Group: Member
Posts: 15
Joined: 11-January 10

Posted 18 March 2010 - 10:43 AM

I believe I'm infected with the Vundo virus. My Norton virus scanner keeps finding it but can't seem to get rid of it.

I can't get automatic updates to work - it switches to disable mode.

I tried downloading Malwarebytes but I can't load it.

Here's my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:21 AM, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
c:\windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f5fa52de-99a4-4dd7-befd-42cac739c36f} - vovugesi.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [RTHDCPL] "C:\WINDOWS\RTHDCPL.EXE"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\VPTray.exe"
O4 - HKLM\..\Run: [vogifomedi] Rundll32.exe "zukuzibi.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [rizurapim] Rundll32.exe "c:\windows\system32\valavuja.dll",a
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1181596364140
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O21 - SSODL: megaderaj - {3add4a24-cec4-461a-a692-ab77b1b83cb8} - c:\windows\system32\josoguyi.dll (file missing)
O21 - SSODL: baruginoh - {4194e1a6-c227-4028-822a-860c0345a0ba} - (no file)
O21 - SSODL: gidelepiw - {3d7bfa4e-fa60-460e-9497-a708807b78f2} - c:\windows\system32\valavuja.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: mujuzedij - {3add4a24-cec4-461a-a692-ab77b1b83cb8} - c:\windows\system32\josoguyi.dll (file missing)
O22 - SharedTaskScheduler: tokatiluy - {4194e1a6-c227-4028-822a-860c0345a0ba} - (no file)
O22 - SharedTaskScheduler: gahurihor - {3d7bfa4e-fa60-460e-9497-a708807b78f2} - c:\windows\system32\valavuja.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

#2 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 18 March 2010 - 02:40 PM

Hi we no longer use Hijackthis

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

THEN

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

#3 pixman

Group: Member
Posts: 15
Joined: 11-January 10

Posted 18 March 2010 - 11:28 PM

Thank you. Here are the reports:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-18 19:51:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\NEWUSE~1\LOCALS~1\Temp\kfacakob.sys

---- System - GMER 1.0.15 ----

SSDT 862FB500 ZwAlertResumeThread
SSDT 862CB498 ZwAlertThread
SSDT 861B7220 ZwAllocateVirtualMemory
SSDT 861A8978 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF73B5E52]
SSDT 85AA7660 ZwCreateMutant
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7396CDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7396ED0]
SSDT 8629A5C0 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF73B6640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF73B68F4]
SSDT 861DC970 ZwFreeVirtualMemory
SSDT 862DF498 ZwImpersonateAnonymousToken
SSDT 862F2530 ZwImpersonateThread
SSDT 86181E88 ZwMapViewOfSection
SSDT 8594AB08 ZwOpenEvent
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF73B4B44]
SSDT 861DC298 ZwOpenProcessToken
SSDT 86275A58 ZwOpenThreadToken
SSDT 859A32C8 ZwQueryValueKey
SSDT 865E1DF8 ZwQueueApcThread
SSDT 86525FA8 ZwReadVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF73B6D60]
SSDT 86293BB0 ZwResumeThread
SSDT 86275D68 ZwSetContextThread
SSDT 865C7240 ZwSetInformationKey
SSDT 861D74A0 ZwSetInformationProcess
SSDT 8628F4E8 ZwSetInformationThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF73B6112]
SSDT 86453498 ZwSuspendProcess
SSDT 861583C0 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7396984]
SSDT 8628FDC8 ZwTerminateThread
SSDT 861DF700 ZwUnmapViewOfSection
SSDT 861B5BD0 ZwWriteVirtualMemory

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86525E38
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 86525E38
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 86525E38
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 86525E38
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 86525E38
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 86525F30
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 86525E38

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \Driver\Tcpip \Device\Ip 861BAB50
Device \Driver\Tcpip \Device\Ip 8627DE20
Device \Driver\Tcpip \Device\Ip 863BC530
Device \Driver\Tcpip \Device\Ip 864663A8
Device \Driver\Tcpip \Device\Ip 8654E330

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Tcp 861BAB50
Device \Driver\Tcpip \Device\Tcp 8627DE20
Device \Driver\Tcpip \Device\Tcp 863BC530
Device \Driver\Tcpip \Device\Tcp 864663A8
Device \Driver\Tcpip \Device\Tcp 8654E330

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\Udp 861BAB50
Device \Driver\Tcpip \Device\Udp 8627DE20
Device \Driver\Tcpip \Device\Udp 863BC530
Device \Driver\Tcpip \Device\Udp 864663A8
Device \Driver\Tcpip \Device\Udp 8654E330

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\RawIp 861BAB50
Device \Driver\Tcpip \Device\RawIp 8627DE20
Device \Driver\Tcpip \Device\RawIp 863BC530
Device \Driver\Tcpip \Device\RawIp 864663A8
Device \Driver\Tcpip \Device\RawIp 8654E330

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Tcpip \Device\IPMULTICAST 861BAB50
Device \Driver\Tcpip \Device\IPMULTICAST 8627DE20
Device \Driver\Tcpip \Device\IPMULTICAST 863BC530
Device \Driver\Tcpip \Device\IPMULTICAST 864663A8
Device \Driver\Tcpip \Device\IPMULTICAST 8654E330

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11645ED4-E37E-C8F1-181A-10739179EA99}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11645ED4-E37E-C8F1-181A-10739179EA99}@jadpeifacjfhdldhooml 0x62 0x61 0x70 0x65 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11645ED4-E37E-C8F1-181A-10739179EA99}@jadpeifacjfhdldhooam 0x62 0x61 0x63 0x66 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11645ED4-E37E-C8F1-181A-10739179EA99}@iadgaeifoaofjldofm 0x6B 0x61 0x6B 0x65 ...

---- EOF - GMER 1.0.15 ----

OTL

OTL logfile created on: 3/18/2010 9:53:51 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\new user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 475.00 Mb Available Physical Memory | 47.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 174.73 Gb Free Space | 75.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEW-D3CFBA6C0A5
Current User Name: new user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/18 21:52:06 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe
PRC - [2010/01/21 16:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2010/01/14 19:12:13 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2009/11/06 16:19:58 | 006,515,784 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
PRC - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2009/11/06 13:00:22 | 000,165,232 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SSU.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

========== Modules (SafeList) ==========

MOD - [2099/01/01 12:00:00 | 000,096,256 | -HS- | M] () -- C:\WINDOWS\system32\nipujija.dll
MOD - [2010/03/18 21:52:06 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/01/21 16:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/01/14 19:12:13 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 15:29:22 | 001,141,712 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/10/30 12:18:16 | 000,359,624 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/14 00:35:22 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/14 00:36:55 | 000,000,000 | ---D | M]

[2010/02/06 14:25:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Mozilla\Extensions
[2010/03/17 16:06:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Mozilla\Firefox\Profiles\oex1f314.default\extensions
[2010/02/06 15:49:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\new user\Application Data\Mozilla\Firefox\Profiles\oex1f314.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/06 14:25:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/23 14:16:08 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: ([2010/03/18 01:00:00 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar BHO) - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {FE063DB9-4EC0-403E-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
O4 - HKLM..\Run: [rizurapim] C:\WINDOWS\System32\nipujija.DLL ()
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1181596364140 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O21 - SSODL: baruginoh - {4194e1a6-c227-4028-822a-860c0345a0ba} - CLSID or File not found.
O21 - SSODL: ferililab - {18ffef2b-2015-4297-b4f1-40cfe7649db1} - C:\WINDOWS\system32\nipujija.dll ()
O21 - SSODL: megaderaj - {3add4a24-cec4-461a-a692-ab77b1b83cb8} - C:\WINDOWS\System32\josoguyi.dll File not found
O22 - SharedTaskScheduler: {18ffef2b-2015-4297-b4f1-40cfe7649db1} - mujuzedij - C:\WINDOWS\system32\nipujija.dll ()
O22 - SharedTaskScheduler: {3add4a24-cec4-461a-a692-ab77b1b83cb8} - mujuzedij - C:\WINDOWS\System32\josoguyi.dll File not found
O22 - SharedTaskScheduler: {4194e1a6-c227-4028-822a-860c0345a0ba} - tokatiluy - Reg Error: Key error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\new user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\new user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Security Packages - (em\ecurity Packages settings...) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/11 14:02:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2007/06/11 14:02:03 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (206158430208)

========== Files/Folders - Created Within 14 Days ==========

[2010/03/18 21:52:05 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe
[2010/03/18 17:27:16 | 000,000,000 | ---D | C] -- C:\14af260fe2a65f1160c87270a0
[2010/03/18 17:22:03 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/03/18 10:11:34 | 001,394,000 | ---- | C] (Malwarebytes Corporation) -- C:\Documents and Settings\new user\Desktop\6KOm2Kaww.exe
[2010/03/18 01:03:48 | 000,000,000 | ---D | C] -- C:\c93a8c3946a6dbfe8b67
[2010/03/18 00:44:32 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/17 23:24:27 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/03/17 13:25:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/17 13:25:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/17 13:25:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/17 13:25:07 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malbytes.exe
[2010/03/14 15:44:30 | 000,181,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\new user\Desktop\TDSSKiller.exe
[2010/03/14 15:39:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwareby
[2010/03/14 14:39:07 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malware.exe
[2010/03/14 00:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\new user\Local Settings\Application Data\Real
[2010/03/14 00:34:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/03/14 00:32:44 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/03/10 13:00:36 | 000,000,000 | ---D | C] -- C:\933523aa0e8f42c6c711d757
[2010/01/06 09:47:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/25 18:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/08/28 11:29:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/12/20 23:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/11/09 08:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/06/11 14:05:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/06/11 14:02:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2099/01/01 12:00:00 | 000,096,256 | -HS- | M] () -- C:\WINDOWS\System32\nipujija.dll
[2010/03/18 22:00:00 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\bilbpbsn.job
[2010/03/18 21:52:06 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe
[2010/03/18 21:48:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/18 21:48:02 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/18 21:47:38 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/18 21:47:18 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/18 21:47:17 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/18 21:47:15 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/18 21:47:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/18 21:45:21 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\new user\ntuser.ini
[2010/03/18 21:45:20 | 004,718,592 | ---- | M] () -- C:\Documents and Settings\new user\NTUser.dat
[2010/03/18 21:42:25 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/18 21:42:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/18 21:42:25 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/18 17:21:18 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\yijetajo
[2010/03/18 10:11:39 | 001,394,000 | ---- | M] (Malwarebytes Corporation) -- C:\Documents and Settings\new user\Desktop\6KOm2Kaww.exe
[2010/03/18 09:42:07 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\HiJackThis.lnk
[2010/03/18 01:00:00 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/18 00:43:47 | 000,000,934 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\Shortcut to ComboFix.exe.lnk
[2010/03/17 23:42:44 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\Fix your computer automatically.lnk
[2010/03/17 23:32:43 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/03/17 23:26:42 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/17 22:57:14 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/03/17 22:57:14 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/03/17 13:25:30 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/17 13:25:12 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malbytes.exe
[2010/03/14 20:25:32 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\writing.doc
[2010/03/14 20:00:48 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/14 18:47:05 | 000,000,950 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/03/14 14:39:14 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malware.exe
[2010/03/14 14:09:46 | 000,457,340 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 14:09:46 | 000,078,918 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 14:09:45 | 000,545,434 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 01:47:09 | 004,319,912 | -H-- | M] () -- C:\Documents and Settings\new user\Local Settings\Application Data\IconCache.db
[2010/03/14 00:38:21 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/14 00:32:44 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/03/13 23:17:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/13 22:12:58 | 000,073,216 | ---- | M] () -- C:\Documents and Settings\new user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/13 17:12:07 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\for today.doc
[2010/03/12 18:43:54 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/12 01:59:40 | 000,000,122 | ---- | M] () -- C:\WINDOWS\mdm.ini
[2010/03/11 22:08:44 | 000,000,749 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegistryBooster.lnk
[2010/03/10 15:53:32 | 000,181,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\new user\Desktop\TDSSKiller.exe
[2010/03/10 12:53:10 | 732,856,320 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-2.avi
[2010/03/10 12:53:04 | 735,336,448 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-1.avi
[2010/03/10 00:57:30 | 367,040,148 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\Lost.S06E07.Dr.Linus.HDTV.XviD-FQM.avi
[2010/03/09 11:19:28 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/03/05 20:47:53 | 364,470,402 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\anya-md.wmv
[2010/03/05 20:47:03 | 244,216,768 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\lily-md.wmv

========== Files Created - No Company Name ==========

[2099/01/01 12:00:00 | 000,096,256 | -HS- | C] () -- C:\WINDOWS\System32\nipujija.dll
[2099/01/01 12:00:00 | 000,006,456 | -H-- | C] () -- C:\WINDOWS\System32\yijetajo
[2010/03/18 17:34:31 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\gmer.exe
[2010/03/18 01:23:59 | 000,000,300 | ---- | C] () -- C:\WINDOWS\tasks\bilbpbsn.job
[2010/03/18 00:43:47 | 000,000,934 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\Shortcut to ComboFix.exe.lnk
[2010/03/17 23:40:20 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\Fix your computer automatically.lnk
[2010/03/17 23:26:01 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/17 13:25:30 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/14 00:36:44 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/14 00:36:43 | 000,000,292 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/11 22:08:44 | 000,000,749 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegistryBooster.lnk
[2010/03/10 11:09:51 | 732,856,320 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-2.avi
[2010/03/10 11:09:45 | 735,336,448 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-1.avi
[2010/03/10 00:20:57 | 367,040,148 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\Lost.S06E07.Dr.Linus.HDTV.XviD-FQM.avi
[2010/03/09 11:19:28 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/03/05 20:40:20 | 244,216,768 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\lily-md.wmv
[2010/03/05 20:38:10 | 364,470,402 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\anya-md.wmv
[2010/02/28 19:09:11 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/02/28 18:44:18 | 000,015,710 | -HS- | C] () -- C:\Documents and Settings\new user\Local Settings\Application Data\0Mp8n7BDj1d
[2010/02/16 19:57:51 | 000,001,048 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
[2010/02/06 15:33:05 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/01/09 18:20:16 | 000,052,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/06 13:00:28 | 000,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2008/09/19 14:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/19 14:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/19 14:54:18 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/06/23 00:25:56 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/06/23 00:25:50 | 001,559,040 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/06/23 00:25:50 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/23 00:25:48 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/23 00:25:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/03/21 13:30:08 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/01/25 02:01:09 | 000,000,454 | ---- | C] () -- C:\WINDOWS\iScreensaver.ini
[2007/08/09 12:08:04 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/08/01 19:55:36 | 000,000,032 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/07/01 23:14:23 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2007/07/01 23:14:23 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2007/06/22 21:56:32 | 000,073,216 | ---- | C] () -- C:\Documents and Settings\new user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/20 21:52:14 | 000,002,143 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/06/18 17:53:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/06/15 18:15:40 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/06/12 12:59:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/06/12 12:54:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/12 12:54:18 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/02/06 15:37:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/03/18 21:51:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/06/15 19:42:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/28 23:05:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/10/04 00:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/27 16:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/14 02:40:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
[2007/06/15 19:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Aim
[2010/03/13 22:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\BitTorrent
[2008/03/12 20:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\BitTorrent DNA
[2010/01/12 20:54:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\DNA
[2008/01/25 02:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\iScreensaver
[2010/01/09 17:28:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\System Tweaker
[2010/03/14 01:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Uniblue
[2007/06/15 19:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Viewpoint
[2010/03/18 22:00:00 | 000,000,300 | ---- | M] () -- C:\WINDOWS\Tasks\bilbpbsn.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2010/01/12 20:29:49 | 000,008,108 | ---- | M] () -- C:\aaw7boot.log
[2007/06/11 14:02:27 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/03/18 17:22:07 | 000,004,904 | ---- | M] () -- C:\avenger.txt
[2010/01/12 21:36:12 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2010/03/18 21:42:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2007/06/11 14:02:27 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008/12/20 18:42:52 | 000,000,164 | ---- | M] () -- C:\install.dat
[2007/06/11 14:02:27 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2007/06/11 14:02:27 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/09/03 17:11:24 | 000,054,600 | ---- | M] (BitTorrent, Inc.) -- C:\npbittorrent.dll
[2006/02/28 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/12/20 22:41:51 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/03/18 21:46:22 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2007/06/11 14:12:09 | 000,000,206 | ---- | M] () -- C:\realtek.log
[2007/06/11 14:12:09 | 000,000,499 | ---- | M] () -- C:\RHDSetup.log
[2010/03/18 10:07:32 | 000,000,424 | ---- | M] () -- C:\rkill.log
[2010/03/14 15:44:33 | 000,011,998 | ---- | M] () -- C:\TDSSKiller.2.2.8_14.03.2010_15.44.32_log.txt
[2010/03/14 15:44:50 | 000,011,998 | ---- | M] () -- C:\TDSSKiller.2.2.8_14.03.2010_15.44.49_log.txt
[2010/03/14 15:45:00 | 000,011,998 | ---- | M] () -- C:\TDSSKiller.2.2.8_14.03.2010_15.44.59_log.txt
[2010/03/14 15:45:32 | 000,011,998 | ---- | M] () -- C:\TDSSKiller.2.2.8_14.03.2010_15.45.31_log.txt

< MD5 for: AGP440.SYS >
[2006/02/28 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2008/12/20 22:24:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2008/12/20 22:24:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 11:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2006/02/28 05:00:00 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2008/12/20 22:24:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2008/12/20 22:24:04 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2010/03/12 19:15:14 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 11:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2010/03/12 19:15:14 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2010/03/12 19:15:14 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2006/02/28 05:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 17:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2006/02/28 05:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 17:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2006/02/28 05:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2006/02/28 05:00:00 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 17:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/11/06 13:00:28 | 000,031,088 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\wrLZMA.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2007/06/11 06:51:35 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/06/11 06:51:35 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/06/11 06:51:35 | 000,884,736 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Alternate Data Streams ==========

@Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

OTL Extras logfile created on: 3/18/2010 9:53:51 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\new user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 475.00 Mb Available Physical Memory | 47.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 174.73 Gb Free Space | 75.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEW-D3CFBA6C0A5
Current User Name: new user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = SafariHTML] -- C:\Program Files\Safari\Safari.exe (Apple Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Safari\Safari.exe" -url "%1" (Apple Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"80:TCP" = 80:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AIM\aim.exe" = C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger -- (America Online, Inc.)
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- (BitTorrent, Inc.)
"C:\Program Files\QuickTime\QuickTimePlayer.exe" = C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player -- (Apple Inc.)
"C:\Program Files\BitTorrent_DNA\dna.exe" = C:\Program Files\BitTorrent_DNA\dna.exe:*:Enabled:BitTorrent DNA -- ()
"C:\Program Files\DNA\btdna.exe" = C:\Program Files\DNA\btdna.exe:*:Enabled:DNA -- (BitTorrent, Inc.)
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe" = C:\Program Files\Common Files\Symantec Shared\ccApp.exe:*:Enabled:ccApp -- (Symantec Corporation)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" = C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe:*:Enabled:SpySweeperUI -- (Webroot Software, Inc.)
"C:\WINDOWS\explorer.exe" = C:\WINDOWS\explorer.exe:*:Enabled:Explorer -- (Microsoft Corporation)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{111A3D14-7596-43B0-92BA-418435C90672}" = Intel® PRO Network Connections
"{1185566F-12ED-3EF0-89CC-38866DCE1EEE}" = Microsoft .NET Framework 3.0 Client Service Pack 2
"{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1" = Spy Sweeper
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}" = Rhapsody Player Engine
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{32343DB6-9A52-40C9-87E4-5E7C79791C87}" = MSXML 4.0 SP2 and SOAP Toolkit 3.0
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3AC54383-31D1-4907-961B-B12CBB1D0AE8}" = MobileMe Control Panel
"{3F5B6210-0903-4DC6-8034-8F488AA3A782}" = Spy Sweeper Core
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{847CAE64-4CD2-4B2D-AF00-978FF5431033}" = Nero 7 Essentials
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}" = Symantec AntiVirus
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster 2010
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AOL Instant Messenger" = AOL Instant Messenger
"BitTorrent" = BitTorrent
"Browser Defender_is1" = Browser Defender 2.0.6.15
"ExtractNow_is1" = ExtractNow
"Google Updater" = Google Updater
"HitmanPro35" = Hitman Pro 3.5
"ie8" = Windows Internet Explorer 8
"InstallShield_{13515135-48BB-4184-8C1F-2FAE0138E200}" = TBS WMP Plug-in
"InstallShield_{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"InterActual Player" = InterActual Player
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 3.6.5
"LiveUpdate" = LiveUpdate 3.0 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"PC-DVD Encore" = PC-DVD Encore
"RealPlayer 12.0" = RealPlayer
"Sharecrow" = Sharecrow (remove only)
"Spyware Doctor" = Spyware Doctor 7.0
"System Tweaker_is1" = Uniblue System Tweaker
"Uninstall Tool_is1" = Uninstall Tool
"ViewpointMediaPlayer" = Viewpoint Media Player
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinZip" = WinZip
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"BitTorrent DNA" = DNA
"Move Media Player" = Move Media Player
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/18/2010 5:52:09 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: c:\system volume information\_restore{19aa3803-c8bd-4b8c-a708-a950592338ac}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 3/18/2010 5:52:09 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: c:\system~1\_resto~1\rp970\a0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 3/18/2010 5:52:11 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\System
Volume Information\_restore{19AA3803-C8BD-4B8C-A708-A950592338AC}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: Risk was partially removed.

Error - 3/18/2010 6:31:38 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\System
Volume Information\_restore{19AA3803-C8BD-4B8C-A708-A950592338AC}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 3/18/2010 6:31:38 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\System Volume Information\_restore{19AA3803-C8BD-4B8C-A708-A950592338AC}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: The file was left unchanged.

Error - 3/18/2010 6:31:38 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: c:\system volume information\_restore{19aa3803-c8bd-4b8c-a708-a950592338ac}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 3/18/2010 6:31:38 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711685
Description = Risk Found!Risk: Backdoor.Tidserv!inf in File: c:\system~1\_resto~1\rp970\a0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 3/18/2010 6:31:40 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\System
Volume Information\_restore{19AA3803-C8BD-4B8C-A708-A950592338AC}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access denied.
Action Description: Risk was partially removed.

Error - 3/18/2010 7:28:54 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Backdoor.Tidserv!inf in File: C:\System
Volume Information\_restore{19AA3803-C8BD-4B8C-A708-A950592338AC}\RP970\A0141714.sys
by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 3/19/2010 12:34:20 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Userenv | ID = 1500
Description = Windows cannot log you on because your profile cannot be loaded. Check
that you are connected to the network, or that your network is functioning correctly.
If this problem persists, contact your network administrator. DETAIL - The system
has attempted to load or restore a file into the registry, but the specified file
is not in a registry file format.

[ System Events ]
Error - 3/18/2010 11:07:46 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = Windows Update Agent | ID = 20
Description = Installation Failure: Windows failed to install the following update
with error 0x80070643: Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework
3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86.

Error - 3/18/2010 11:16:03 PM | Computer Name = NEW-D3CFBA6C0A5 | Source = ssidrv | ID = 131098
Description = Failed to set monitor event rule.

Error - 3/19/2010 12:35:12 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:35:12 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:35:29 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:35:31 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:47:48 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:47:48 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:48:08 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

Error - 3/19/2010 12:48:10 AM | Computer Name = NEW-D3CFBA6C0A5 | Source = Service Control Manager | ID = 7005
Description = The LoadUserProfile call failed with the following error: %%1017

< End of report >

#4 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 19 March 2010 - 12:48 PM

I see you have run lots of different tools on this - were you being helped elsewhere ?

Please make a copy of the second part of this fix as you will be required to reboot and follow specific instructions

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKLM..\Run: [rizurapim] C:\WINDOWS\System32\nipujija.DLL ()
O21 - SSODL: baruginoh - {4194e1a6-c227-4028-822a-860c0345a0ba} - CLSID or File not found.
O21 - SSODL: ferililab - {18ffef2b-2015-4297-b4f1-40cfe7649db1} - C:\WINDOWS\system32\nipujija.dll ()
O21 - SSODL: megaderaj - {3add4a24-cec4-461a-a692-ab77b1b83cb8} - C:\WINDOWS\System32\josoguyi.dll File not found
O22 - SharedTaskScheduler: {18ffef2b-2015-4297-b4f1-40cfe7649db1} - mujuzedij - C:\WINDOWS\system32\nipujija.dll ()
O22 - SharedTaskScheduler: {3add4a24-cec4-461a-a692-ab77b1b83cb8} - mujuzedij - C:\WINDOWS\System32\josoguyi.dll File not found
O22 - SharedTaskScheduler: {4194e1a6-c227-4028-822a-860c0345a0ba} - tokatiluy - Reg Error: Key error. File not found
[2099/01/01 12:00:00 | 000,096,256 | -HS- | M] () -- C:\WINDOWS\System32\nipujija.dll
[2010/03/18 22:00:00 | 000,000,300 | ---- | M] () -- C:\WINDOWS\tasks\bilbpbsn.job
[2010/03/18 17:21:18 | 000,006,456 | -H-- | M] () -- C:\WINDOWS\System32\yijetajo

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"3389:TCP"=-


:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

#5 pixman

Group: Member
Posts: 15
Joined: 11-January 10

Posted 19 March 2010 - 07:14 PM

I was just working on it myself.

Here's the logs:

OTL logfile created on: 3/19/2010 5:38:03 PM - Run 2
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\new user\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,013.00 Mb Total Physical Memory | 522.00 Mb Available Physical Memory | 51.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 232.88 Gb Total Space | 174.65 Gb Free Space | 75.00% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: NEW-D3CFBA6C0A5
Current User Name: new user
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/03/18 21:52:06 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe
PRC - [2010/01/21 16:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
PRC - [2010/01/14 19:12:13 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
PRC - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
PRC - [2008/07/30 02:34:04 | 000,038,912 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PRC - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PRC - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

========== Modules (SafeList) ==========

MOD - [2010/03/18 21:52:06 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2010/01/21 16:21:02 | 000,112,592 | ---- | M] (Threat Expert Ltd.) [Auto | Running] -- C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe -- (Browser Defender Update Service)
SRV - [2010/01/14 19:12:13 | 001,201,640 | ---- | M] (Webroot Software, Inc. ) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe -- (WRConsumerService)
SRV - [2009/11/06 15:29:22 | 001,141,712 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsSvc.exe -- (sdCoreService)
SRV - [2009/11/06 13:00:22 | 004,048,240 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Auto | Running] -- C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe -- (WebrootSpySweeperService)
SRV - [2009/10/30 12:18:16 | 000,359,624 | ---- | M] (PC Tools) [On_Demand | Stopped] -- C:\Program Files\Spyware Doctor\pctsAuxs.exe -- (sdAuxService)
SRV - [2006/03/17 06:35:00 | 001,823,472 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/03/17 06:34:24 | 000,115,952 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/03/17 06:34:12 | 000,030,448 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/03/07 13:03:02 | 000,169,632 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
SRV - [2006/03/07 13:02:34 | 000,192,160 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
SRV - [2006/02/23 11:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
SRV - [2006/02/06 12:50:24 | 001,160,848 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
SRV - [2006/01/24 20:06:58 | 000,214,720 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:1.0.0.%(version)s

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/19 01:25:19 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/14 00:36:55 | 000,000,000 | ---D | M]

[2010/02/06 14:25:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Mozilla\Extensions
[2010/03/18 22:34:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Mozilla\Firefox\Profiles\oex1f314.default\extensions
[2010/02/06 15:49:31 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\new user\Application Data\Mozilla\Firefox\Profiles\oex1f314.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/02/06 14:25:31 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/23 14:16:08 | 000,221,184 | ---- | M] (CNN) -- C:\Program Files\Mozilla Firefox\plugins\NPTURNMED.dll

O1 HOSTS File: ([2010/03/19 17:31:10 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (PC Tools Browser Guard BHO) - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Ask Toolbar BHO) - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
O3 - HKLM\..\Toolbar: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (PC Tools Browser Guard) - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
O4 - HKLM..\Run: [DWQueuedReporting] c:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [rizurapim] C:\WINDOWS\System32\nipujija.DLL File not found
O4 - HKLM..\Run: [SpySweeper] C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe (Webroot Software, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (America Online, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com...ex/qtplugin.cab (QuickTime Object)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1181596364140 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...trl.cab?lmi=100 (Performance Viewer Activex Control)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\NavLogon: DllName - C:\WINDOWS\system32\NavLogon.dll - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation)
O21 - SSODL: ferililab - {18ffef2b-2015-4297-b4f1-40cfe7649db1} - C:\WINDOWS\System32\nipujija.dll File not found
O22 - SharedTaskScheduler: {18ffef2b-2015-4297-b4f1-40cfe7649db1} - mujuzedij - C:\WINDOWS\System32\nipujija.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\new user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\new user\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O30 - LSA: Security Packages - (em\ecurity Packages settings...) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/11 14:02:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2010/03/19 17:33:58 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/19 17:30:50 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/03/18 21:52:05 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe
[2010/03/18 17:27:16 | 000,000,000 | ---D | C] -- C:\14af260fe2a65f1160c87270a0
[2010/03/18 17:22:03 | 000,000,000 | ---D | C] -- C:\Avenger
[2010/03/18 10:11:34 | 001,394,000 | ---- | C] (Malwarebytes Corporation) -- C:\Documents and Settings\new user\Desktop\6KOm2Kaww.exe
[2010/03/18 01:03:48 | 000,000,000 | ---D | C] -- C:\c93a8c3946a6dbfe8b67
[2010/03/18 00:44:32 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/17 23:24:27 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/03/17 13:25:27 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/17 13:25:24 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/17 13:25:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/03/17 13:25:07 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malbytes.exe
[2010/03/14 15:44:30 | 000,181,000 | ---- | C] (Kaspersky Lab) -- C:\Documents and Settings\new user\Desktop\TDSSKiller.exe
[2010/03/14 15:39:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwareby
[2010/03/14 14:39:07 | 005,115,824 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malware.exe
[2010/03/14 00:37:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\new user\Local Settings\Application Data\Real
[2010/03/14 00:34:16 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\xing shared
[2010/03/14 00:32:44 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/03/10 13:00:36 | 000,000,000 | ---D | C] -- C:\933523aa0e8f42c6c711d757
[2010/01/06 09:47:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/12/25 18:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2009/08/28 11:29:22 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2008/12/20 23:10:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2007/11/09 08:52:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007/06/11 14:05:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2007/06/11 14:02:24 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft

========== Files - Modified Within 14 Days ==========

[2010/03/19 17:36:08 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/19 17:35:44 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/03/19 17:35:29 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/19 17:35:29 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/19 17:35:26 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/19 17:35:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/19 17:34:07 | 004,718,592 | ---- | M] () -- C:\Documents and Settings\new user\NTUser.dat
[2010/03/19 17:34:07 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\new user\ntuser.ini
[2010/03/19 17:31:10 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/03/19 14:48:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/19 01:02:39 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/19 01:02:34 | 000,072,192 | ---- | M] () -- C:\Documents and Settings\new user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/18 21:52:06 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\new user\Desktop\OTL.exe
[2010/03/18 21:42:25 | 000,000,573 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/03/18 21:42:25 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010/03/18 21:42:25 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/18 10:11:39 | 001,394,000 | ---- | M] (Malwarebytes Corporation) -- C:\Documents and Settings\new user\Desktop\6KOm2Kaww.exe
[2010/03/18 09:42:07 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\HiJackThis.lnk
[2010/03/18 00:43:47 | 000,000,934 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\Shortcut to ComboFix.exe.lnk
[2010/03/17 23:42:44 | 000,000,410 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\Fix your computer automatically.lnk
[2010/03/17 23:32:43 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/03/17 23:26:42 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/17 22:57:14 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/03/17 22:57:14 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/03/17 13:25:30 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/17 13:25:12 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malbytes.exe
[2010/03/14 20:25:32 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\writing.doc
[2010/03/14 20:00:48 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2010/03/14 18:47:05 | 000,000,950 | ---- | M] () -- C:\WINDOWS\System32\.crusader
[2010/03/14 14:39:14 | 005,115,824 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\new user\Desktop\malware.exe
[2010/03/14 14:09:46 | 000,457,340 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/14 14:09:46 | 000,078,918 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/14 14:09:45 | 000,545,434 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/14 01:47:09 | 004,319,912 | -H-- | M] () -- C:\Documents and Settings\new user\Local Settings\Application Data\IconCache.db
[2010/03/14 00:38:21 | 000,000,292 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/14 00:32:44 | 000,278,528 | ---- | M] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/03/13 23:17:05 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/03/13 17:12:07 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\for today.doc
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/12 01:59:40 | 000,000,122 | ---- | M] () -- C:\WINDOWS\mdm.ini
[2010/03/11 22:08:44 | 000,000,749 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\RegistryBooster.lnk
[2010/03/10 15:53:32 | 000,181,000 | ---- | M] (Kaspersky Lab) -- C:\Documents and Settings\new user\Desktop\TDSSKiller.exe
[2010/03/10 12:53:10 | 732,856,320 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-2.avi
[2010/03/10 12:53:04 | 735,336,448 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-1.avi
[2010/03/10 00:57:30 | 367,040,148 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\Lost.S06E07.Dr.Linus.HDTV.XviD-FQM.avi
[2010/03/09 11:19:28 | 000,000,728 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/03/05 20:47:53 | 364,470,402 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\anya-md.wmv
[2010/03/05 20:47:03 | 244,216,768 | ---- | M] () -- C:\Documents and Settings\new user\Desktop\lily-md.wmv

========== Files Created - No Company Name ==========

[2010/03/18 17:34:31 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\gmer.exe
[2010/03/18 00:43:47 | 000,000,934 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\Shortcut to ComboFix.exe.lnk
[2010/03/17 23:40:20 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\Fix your computer automatically.lnk
[2010/03/17 23:26:01 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2010/03/17 13:25:30 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/03/14 00:36:44 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/14 00:36:43 | 000,000,292 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-507921405-839522115-1003.job
[2010/03/11 22:08:44 | 000,000,749 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\RegistryBooster.lnk
[2010/03/10 11:09:51 | 732,856,320 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-2.avi
[2010/03/10 11:09:45 | 735,336,448 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\bfscr-veins-1.avi
[2010/03/10 00:20:57 | 367,040,148 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\Lost.S06E07.Dr.Linus.HDTV.XviD-FQM.avi
[2010/03/09 11:19:28 | 000,000,728 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk
[2010/03/05 20:40:20 | 244,216,768 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\lily-md.wmv
[2010/03/05 20:38:10 | 364,470,402 | ---- | C] () -- C:\Documents and Settings\new user\Desktop\anya-md.wmv
[2010/02/28 19:09:11 | 000,767,952 | ---- | C] () -- C:\WINDOWS\BDTSupport.dll
[2010/02/28 18:44:18 | 000,015,710 | -HS- | C] () -- C:\Documents and Settings\new user\Local Settings\Application Data\0Mp8n7BDj1d
[2010/02/16 19:57:51 | 000,001,048 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll
[2010/02/06 15:33:05 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/01/09 18:20:16 | 000,052,200 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2009/11/06 13:00:28 | 000,031,088 | ---- | C] () -- C:\WINDOWS\System32\wrLZMA.dll
[2008/09/19 14:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/09/19 14:55:10 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/09/19 14:54:18 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/06/23 00:25:56 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/06/23 00:25:50 | 001,559,040 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/06/23 00:25:50 | 000,282,624 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/06/23 00:25:48 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/06/23 00:25:48 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/03/21 13:30:08 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/01/25 02:01:09 | 000,000,454 | ---- | C] () -- C:\WINDOWS\iScreensaver.ini
[2007/08/09 12:08:04 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll
[2007/08/01 19:55:36 | 000,000,032 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2007/07/01 23:14:23 | 000,684,032 | ---- | C] () -- C:\WINDOWS\libeay32.dll
[2007/07/01 23:14:23 | 000,155,648 | ---- | C] () -- C:\WINDOWS\ssleay32.dll
[2007/06/22 21:56:32 | 000,072,192 | ---- | C] () -- C:\Documents and Settings\new user\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/20 21:52:14 | 000,002,143 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/06/18 17:53:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2007/06/15 18:15:40 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/06/12 12:59:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2007/06/12 12:54:18 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/12 12:54:18 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[1999/01/22 11:46:58 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL

========== LOP Check ==========

[2010/02/06 15:37:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/03/19 17:35:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/06/15 19:42:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/03/28 23:05:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/10/04 00:48:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/27 16:49:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/01/14 02:40:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{C4C0E335-EDDF-46A0-A57D-F3802AE44275}
[2007/06/15 19:42:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Aim
[2010/03/13 22:12:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\BitTorrent
[2008/03/12 20:42:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\BitTorrent DNA
[2010/01/12 20:54:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\DNA
[2008/01/25 02:00:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\iScreensaver
[2010/01/09 17:28:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\System Tweaker
[2010/03/14 01:01:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Uniblue
[2007/06/15 19:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\new user\Application Data\Viewpoint

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 197 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >

C:\Documents and Settings\new user\Desktop\HelpAsst_mebroot_fix.exe
Fri 03/19/2010 at 17:48:45.34

HelpAssistant account was found to be Active ~ attempting to de-activate

Full Name Remote Desktop Help Assistant Account
Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
80:TCP=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"3389:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-789336058-507921405-839522115-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Fri 03/19/2010 at 18:12:08.03

Full Name Remote Desktop Help Assistant Account
Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x01D1C06C0
malicious code @ sector 0x01D1C06C3 !
PE file found in sector at 0x01D1C06D9 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

#6 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 20 March 2010 - 05:39 AM

OK that looks to have got it

I would now like you to update and run Combofix, also let me know of the problems you are now experiencing

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7 pixman

Group: Member
Posts: 15
Joined: 11-January 10

Posted 20 March 2010 - 01:47 PM

Thank you, my computer seems to be working. I can get automatic updates, but I can't seem to install the latest .Net Framework. I'm not sure if this has to do with the virus or not.

ComboFix 10-03-19.08 - new user 03/20/2010 12:28:26.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.585 [GMT -7:00]
Running from: c:\documents and settings\new user\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\zadowebi.dll
c:\windows\system32\zukuzibi.dll
c:\windows\Tasks\qgupephw.job

.
((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-20 19:00 . 2010-03-20 19:00 -------- d-----w- C:\6cb3c1dc6b5e666cd8bbd687c5
2010-03-20 06:00 . 2010-03-20 06:01 -------- d-----w- C:\77f03538e20a9dc953dbd7e5f676ce61
2010-03-20 05:56 . 2010-03-20 05:56 -------- d-----w- C:\9c63df2a90ef5f722f3849ead4
2010-03-20 05:56 . 2010-03-20 05:56 -------- d-----w- C:\f95b239900633035c087
2010-03-20 05:34 . 2010-03-20 05:35 -------- d-----w- C:\19ce4cd69753652fce42
2010-03-20 05:28 . 2010-03-20 05:28 -------- d-----w- C:\eaff6f842316bbf0646d09
2010-03-20 00:48 . 2010-03-20 00:48 -------- d-----w- C:\HelpAsst_backup
2010-03-20 00:30 . 2010-03-20 00:30 -------- d-----w- C:\_OTL
2010-03-19 00:27 . 2010-03-19 00:27 -------- d-----w- C:\14af260fe2a65f1160c87270a0
2010-03-18 08:03 . 2010-03-18 08:03 -------- d-----w- C:\c93a8c3946a6dbfe8b67
2010-03-18 06:24 . 2010-03-18 06:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-17 23:46 . 2010-03-17 23:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-03-17 20:25 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:25 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 20:25 . 2010-03-18 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 22:39 . 2010-03-14 23:05 -------- d-----w- c:\program files\Malwareby
2010-03-14 07:37 . 2010-03-14 07:37 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Real
2010-03-14 07:34 . 2010-03-14 07:34 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-12 05:36 . 2010-03-12 05:36 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-03-10 20:00 . 2010-03-10 20:00 -------- d-----w- C:\933523aa0e8f42c6c711d757
2010-03-10 19:29 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-02 06:20 . 2010-03-02 06:20 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Threat Expert
2010-03-01 05:15 . 2010-03-01 05:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2010-03-01 03:01 . 2010-03-01 03:01 -------- d-----w- C:\d1c47159e4b686579b27
2010-03-01 02:09 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-01 02:09 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-01 02:09 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2010-03-01 02:09 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-01 02:09 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-01 02:09 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-01 02:08 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 02:07 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 02:07 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 02:07 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 02:07 . 2010-03-18 03:03 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 02:07 . 2010-03-01 02:09 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 02:07 . 2010-03-01 02:07 -------- d-----w- c:\documents and settings\new user\Application Data\PC Tools
2010-03-01 02:07 . 2010-03-01 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-22 01:50 . 2010-02-22 01:50 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Unity
2010-02-19 00:58 . 2010-02-19 00:58 -------- d-----w- C:\d29a88a6b16a8184462fe9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 19:36 . 2010-02-06 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-20 01:53 . 2010-03-20 01:53 45232 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll
2010-03-20 00:37 . 2007-06-12 18:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-19 22:06 . 2008-08-02 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-18 06:32 . 2010-02-06 22:33 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-14 08:55 . 2010-01-09 23:59 -------- d-----w- c:\program files\Uniblue
2010-03-14 08:01 . 2010-01-09 23:59 -------- d-----w- c:\documents and settings\new user\Application Data\Uniblue
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-14 07:36 . 2010-03-14 07:36 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-14 07:35 . 2010-03-14 07:35 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-14 07:35 . 2007-09-27 03:04 -------- d-----w- c:\program files\Common Files\Real
2010-03-14 07:34 . 2007-09-27 03:04 -------- d-----w- c:\program files\Real
2010-03-14 05:12 . 2007-06-16 21:59 -------- d-----w- c:\documents and settings\new user\Application Data\BitTorrent
2010-03-13 02:15 . 2006-02-28 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-13 01:21 . 2010-03-03 01:15 439816 ----a-w- c:\documents and settings\new user\Application Data\Real\Update\setup3.10\setup.exe
2010-03-12 05:07 . 2010-03-12 05:07 4004960 ----a-w- c:\documents and settings\new user\Application Data\Uniblue\RegistryBooster\_temp\ub.exe
2010-03-09 18:19 . 2007-06-16 21:59 -------- d-----w- c:\program files\BitTorrent
2010-02-23 21:16 . 2007-06-11 21:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-23 21:16 . 2007-06-11 21:10 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-14 05:18 . 2010-02-14 05:17 -------- d-----w- c:\program files\iTunes
2010-02-14 05:17 . 2010-02-14 05:17 -------- d-----w- c:\program files\iPod
2010-02-14 05:17 . 2007-09-28 01:10 -------- d-----w- c:\program files\Common Files\Apple
2010-02-14 05:11 . 2009-10-04 07:38 -------- d-----w- c:\program files\QuickTime
2010-02-14 05:05 . 2010-02-14 05:05 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-14 05:03 . 2008-08-25 04:37 -------- d-----w- c:\program files\Safari
2010-02-14 04:58 . 2010-02-14 04:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-08 03:42 . 2008-08-02 01:23 -------- d-----w- c:\program files\Google
2010-02-06 22:37 . 2010-02-06 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-06 22:32 . 2010-02-06 22:32 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-02-06 21:25 . 2010-02-06 21:25 0 ----a-w- c:\windows\nsreg.dat
2010-01-22 20:17 . 2009-01-03 06:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 03:08 . 2007-07-26 03:53 18384 ----a-w- c:\documents and settings\new user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 17:10 . 2010-01-15 17:10 144160 ----a-w- c:\documents and settings\new user\Application Data\Move Networks\uninstall.exe
2010-01-15 17:10 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\new user\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-15 02:10 . 2009-05-10 00:11 164 ----a-w- c:\windows\install.dat
2010-01-12 02:19 . 2010-01-12 02:19 388096 ----a-r- c:\documents and settings\new user\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-09 07:15 . 2009-12-04 12:37 79488 ----a-w- c:\documents and settings\new user\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2006-02-28 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-09-25 05:37 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-11-15 16270848]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 02:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-07 20:02 53408 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-03-06 03:15 5650240 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-02-07 00:36 77824 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-02-07 00:40 118784 ----a-r- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-02-07 00:39 94208 ----a-r- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 02:04 2879488 ------r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2009-11-06 23:19 6515784 ----a-w- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-14 07:32 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 13:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Webroot\\WebrootSecurity\\SpySweeperUI.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/28/2010 7:07 PM 207792]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 1:00 PM 29808]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/28/2010 7:09 PM 112592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/14/2010 7:12 PM 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/13/2010 10:02 PM 102448]
S0 qsvdcyta;qsvdcyta;c:\windows\system32\drivers\gjkkfsby.sys --> c:\windows\system32\drivers\gjkkfsby.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/25/2009 6:33 PM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/28/2010 7:07 PM 359624]
.
Contents of the 'Scheduled Tasks' folder

2010-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-03-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 01:49]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 01:32]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 01:32]

2010-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-507921405-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-507921405-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\new user\Application Data\Mozilla\Firefox\Profiles\oex1f314.default\
FF - plugin: c:\documents and settings\new user\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\new user\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{18ffef2b-2015-4297-b4f1-40cfe7649db1} - c:\windows\system32\nipujija.dll
SSODL-ferililab-{18ffef2b-2015-4297-b4f1-40cfe7649db1} - c:\windows\system32\nipujija.dll
MSConfigStartUp-rizurapim - c:\windows\system32\nipujija.dll
MSConfigStartUp-UfSeAgnt - c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe
MSConfigStartUp-vogifomedi - zukuzibi.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 12:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11645ED4-E37E-C8F1-181A-10739179EA99}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jadpeifacjfhdldhooml"=hex:62,61,70,65,00,00
"jadpeifacjfhdldhooam"=hex:62,61,63,66,00,00
"iadgaeifoaofjldofm"=hex:6b,61,6b,65,67,6a,62,6f,6e,61,6f,63,62,69,63,6d,66,62,
63,70,6d,6f,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1852)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
c:\program files\Webroot\WebrootSecurity\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-03-20 12:41:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 19:41
ComboFix2.txt 2010-03-14 23:15
ComboFix3.txt 2010-02-06 11:12

Pre-Run: 186,414,747,648 bytes free
Post-Run: 186,478,866,432 bytes free

- - End Of File - - 2B6D80EA62C8CB7605572A4C59BDFAF0

#8 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 20 March 2010 - 02:09 PM

What error do you get for .net ??

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\gjkkfsby.sys 

Driver::
qsvdcyta

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new OTListit log.

#9 pixman

Group: Member
Posts: 15
Joined: 11-January 10

Posted 20 March 2010 - 03:04 PM

I can't install this update:
Microsoft .NET Framework 3.5 Service Pack 1 and .NET Framework 3.5 Family Update for .NET versions 2.0 through 3.5 (KB951847) x86

Do you want me to run a Quick scan in OTL?

Here's my combofix log:

ComboFix 10-03-19.08 - new user 03/20/2010 13:42:05.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.489 [GMT -7:00]
Running from: c:\documents and settings\new user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\new user\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\system32\drivers\gjkkfsby.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\new user\.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qsvdcyta

((((((((((((((((((((((((( Files Created from 2010-02-20 to 2010-03-20 )))))))))))))))))))))))))))))))
.

2010-03-20 19:00 . 2010-03-20 19:00 -------- d-----w- C:\6cb3c1dc6b5e666cd8bbd687c5
2010-03-20 06:00 . 2010-03-20 06:01 -------- d-----w- C:\77f03538e20a9dc953dbd7e5f676ce61
2010-03-20 05:56 . 2010-03-20 05:56 -------- d-----w- C:\9c63df2a90ef5f722f3849ead4
2010-03-20 05:56 . 2010-03-20 05:56 -------- d-----w- C:\f95b239900633035c087
2010-03-20 05:34 . 2010-03-20 05:35 -------- d-----w- C:\19ce4cd69753652fce42
2010-03-20 05:28 . 2010-03-20 05:28 -------- d-----w- C:\eaff6f842316bbf0646d09
2010-03-20 00:48 . 2010-03-20 00:48 -------- d-----w- C:\HelpAsst_backup
2010-03-20 00:30 . 2010-03-20 00:30 -------- d-----w- C:\_OTL
2010-03-19 00:27 . 2010-03-19 00:27 -------- d-----w- C:\14af260fe2a65f1160c87270a0
2010-03-18 08:03 . 2010-03-18 08:03 -------- d-----w- C:\c93a8c3946a6dbfe8b67
2010-03-18 06:24 . 2010-03-18 06:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-03-17 23:46 . 2010-03-17 23:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\Webroot
2010-03-17 20:25 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-17 20:25 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 20:25 . 2010-03-18 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-14 22:39 . 2010-03-14 23:05 -------- d-----w- c:\program files\Malwareby
2010-03-14 07:37 . 2010-03-14 07:37 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Real
2010-03-14 07:34 . 2010-03-14 07:34 -------- d-----w- c:\program files\Common Files\xing shared
2010-03-12 05:36 . 2010-03-12 05:36 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-03-10 20:00 . 2010-03-10 20:00 -------- d-----w- C:\933523aa0e8f42c6c711d757
2010-03-10 19:29 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-02 06:20 . 2010-03-02 06:20 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Threat Expert
2010-03-01 05:15 . 2010-03-01 05:15 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Threat Expert
2010-03-01 03:01 . 2010-03-01 03:01 -------- d-----w- C:\d1c47159e4b686579b27
2010-03-01 02:09 . 2010-01-21 23:21 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-03-01 02:09 . 2010-01-21 23:21 767952 ----a-w- c:\windows\BDTSupport.dll
2010-03-01 02:09 . 2008-11-26 20:08 131 ----a-w- c:\windows\IDB.zip
2010-03-01 02:09 . 2010-01-21 23:21 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-03-01 02:09 . 2010-01-21 23:21 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-03-01 02:09 . 2009-10-28 09:36 1152444 ----a-w- c:\windows\UDB.zip
2010-03-01 02:08 . 2009-10-30 19:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-03-01 02:07 . 2009-11-09 19:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-03-01 02:07 . 2009-10-07 00:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-03-01 02:07 . 2009-09-03 17:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-03-01 02:07 . 2010-03-18 03:03 -------- d-----w- c:\program files\Spyware Doctor
2010-03-01 02:07 . 2010-03-01 02:09 -------- d-----w- c:\program files\Common Files\PC Tools
2010-03-01 02:07 . 2010-03-01 02:07 -------- d-----w- c:\documents and settings\new user\Application Data\PC Tools
2010-03-01 02:07 . 2010-03-01 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-02-22 01:50 . 2010-02-22 01:50 -------- d-----w- c:\documents and settings\new user\Local Settings\Application Data\Unity
2010-02-19 00:58 . 2010-02-19 00:58 -------- d-----w- C:\d29a88a6b16a8184462fe9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-20 20:50 . 2010-02-06 22:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-20 20:39 . 2007-06-12 18:33 -------- d-----w- c:\program files\Symantec AntiVirus
2010-03-19 22:06 . 2008-08-02 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-03-18 06:32 . 2010-02-06 22:33 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-03-14 08:55 . 2010-01-09 23:59 -------- d-----w- c:\program files\Uniblue
2010-03-14 08:01 . 2010-01-09 23:59 -------- d-----w- c:\documents and settings\new user\Application Data\Uniblue
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-14 07:36 . 2010-03-14 07:36 300616 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-14 07:36 . 2010-03-14 07:36 118784 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-14 07:35 . 2010-03-14 07:35 329312 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-14 07:35 . 2007-09-27 03:04 -------- d-----w- c:\program files\Common Files\Real
2010-03-14 07:34 . 2007-09-27 03:04 -------- d-----w- c:\program files\Real
2010-03-14 05:12 . 2007-06-16 21:59 -------- d-----w- c:\documents and settings\new user\Application Data\BitTorrent
2010-03-13 02:15 . 2006-02-28 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-03-13 01:21 . 2010-03-03 01:15 439816 ----a-w- c:\documents and settings\new user\Application Data\Real\Update\setup3.10\setup.exe
2010-03-12 05:07 . 2010-03-12 05:07 4004960 ----a-w- c:\documents and settings\new user\Application Data\Uniblue\RegistryBooster\_temp\ub.exe
2010-03-09 18:19 . 2007-06-16 21:59 -------- d-----w- c:\program files\BitTorrent
2010-02-23 21:16 . 2007-06-11 21:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-23 21:16 . 2007-06-11 21:10 -------- d-----w- c:\program files\Common Files\InstallShield
2010-02-14 05:18 . 2010-02-14 05:17 -------- d-----w- c:\program files\iTunes
2010-02-14 05:17 . 2010-02-14 05:17 -------- d-----w- c:\program files\iPod
2010-02-14 05:17 . 2007-09-28 01:10 -------- d-----w- c:\program files\Common Files\Apple
2010-02-14 05:11 . 2009-10-04 07:38 -------- d-----w- c:\program files\QuickTime
2010-02-14 05:05 . 2010-02-14 05:05 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-14 05:03 . 2008-08-25 04:37 -------- d-----w- c:\program files\Safari
2010-02-14 04:58 . 2010-02-14 04:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-02-08 03:42 . 2008-08-02 01:23 -------- d-----w- c:\program files\Google
2010-02-06 22:37 . 2010-02-06 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-02-06 22:32 . 2010-02-06 22:32 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-02-06 21:25 . 2010-02-06 21:25 0 ----a-w- c:\windows\nsreg.dat
2010-01-22 20:17 . 2009-01-03 06:26 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-17 03:08 . 2007-07-26 03:53 18384 ----a-w- c:\documents and settings\new user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 17:10 . 2010-01-15 17:10 144160 ----a-w- c:\documents and settings\new user\Application Data\Move Networks\uninstall.exe
2010-01-15 17:10 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\new user\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-15 02:10 . 2009-05-10 00:11 164 ----a-w- c:\windows\install.dat
2010-01-12 02:19 . 2010-01-12 02:19 388096 ----a-r- c:\documents and settings\new user\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-09 07:15 . 2009-12-04 12:37 79488 ----a-w- c:\documents and settings\new user\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 16:50 . 2006-02-28 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-22 05:21 . 2006-02-28 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-09-25 05:37 81920 ------w- c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="c:\windows\RTHDCPL.EXE" [2006-11-15 16270848]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-11-06 6515784]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 02:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2006-03-07 20:02 53408 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HitmanPro35]
2010-03-06 03:15 5650240 ----a-w- c:\program files\Hitman Pro 3.5\HitmanPro35.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2006-02-07 00:36 77824 ----a-r- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2006-02-07 00:40 118784 ----a-r- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-02-07 00:39 94208 ----a-r- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-23 03:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 07:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 02:04 2879488 ------r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
2009-11-06 23:19 6515784 ----a-w- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-14 07:32 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 13:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\BitTorrent_DNA\\dna.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Webroot\\WebrootSecurity\\SpySweeperUI.exe"=
"c:\\WINDOWS\\RTHDCPL.exe"=

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/28/2010 7:07 PM 207792]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 1:00 PM 29808]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/28/2010 7:09 PM 112592]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [1/14/2010 7:12 PM 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/13/2010 10:02 PM 102448]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/25/2009 6:33 PM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/28/2010 7:07 PM 359624]
.
Contents of the 'Scheduled Tasks' folder

2010-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2010-03-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-02 01:49]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 01:32]

2010-03-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-26 01:32]

2010-03-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-789336058-507921405-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]

2010-03-14 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-789336058-507921405-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 06:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
FF - ProfilePath - c:\documents and settings\new user\Application Data\Mozilla\Firefox\Profiles\oex1f314.default\
FF - plugin: c:\documents and settings\new user\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\new user\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-20 13:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-789336058-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{11645ED4-E37E-C8F1-181A-10739179EA99}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jadpeifacjfhdldhooml"=hex:62,61,70,65,00,00
"jadpeifacjfhdldhooam"=hex:62,61,63,66,00,00
"iadgaeifoaofjldofm"=hex:6b,61,6b,65,67,6a,62,6f,6e,61,6f,63,62,69,63,6d,66,62,
63,70,6d,6f,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2648)
c:\program files\Common Files\Ahead\Lib\NeroSearchBar.dll
c:\program files\Common Files\Ahead\Lib\MFC71U.DLL
c:\program files\Common Files\Ahead\Lib\BCGCBPRO860un71.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\wscntfy.exe
c:\program files\Webroot\WebrootSecurity\SSU.EXE
.
**************************************************************************
.
Completion time: 2010-03-20 13:56:55 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-20 20:56
ComboFix2.txt 2010-03-20 19:41
ComboFix3.txt 2010-03-14 23:15
ComboFix4.txt 2010-02-06 11:12

Pre-Run: 186,459,136,000 bytes free
Post-Run: 186,428,043,264 bytes free

- - End Of File - - 644BF655002765613558F8D925F7E340

#10 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 20 March 2010 - 03:06 PM

Whilst I check that out - how is your computer behaving now ?

#11 pixman

Group: Member
Posts: 15
Joined: 11-January 10

Posted 20 March 2010 - 03:08 PM

My computer doesn't seem to be infected anymore. It's running smoothly right now.

#12 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 20 March 2010 - 03:19 PM

The general concensus on that error appears to be .. Use the standalone install and disable the antivirus. I will find a standalone download link

Meanwhile.......

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 18.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u18-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586-p.exe and select "Run as an Administrator.")

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

Select Start > All Programs > Accessories > System tools > System Restore.
On the dialogue box that appears select Create a Restore Point
Click NEXT
Enter a name e.g. Clean
Click CREATE

You now have a clean restore point, to get rid of the bad ones:

Select Start > All Programs > Accessories > System tools > Disk Cleanup.
In the Drop down box that appears select your main drive e.g. C
Click OK
The System will do some calculation and the display a dialogue box with TABS
Select the More Options Tab.
At the bottom will be a system restore box with a CLEANUP button click this
Accept the Warning and select OK again, the program will close and you are done

SPRING CLEAN

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#13 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 20 March 2010 - 03:24 PM

Download KB951847 to your desktop, disconnect from the internet, disable your antivirus and then try to install it

#14 Essexboy

Group: GeekU Moderator
Posts: 56,116
Joined: 31-May 06

Posted 22 March 2010 - 02:55 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

Infected with trojan.vundo [Solved] - Geeks to Go Forums