Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Death Blue Screen with Spybot [Solved]

Started by petree , Mar 11 2009 07:14 PM

This topic is locked

#1
petree

Posted 11 March 2009 - 07:14 PM

Member

Member
33 posts

Hello,

I'm not computer savy, so I could really use your help. I started to see pop-ups with Firefox, even when I had pop-ups blocked. I went to Firefox website, where I read it was spyware that caused it. I ran Zone Alarm anti-virus and anti-spyware and found no problems. I also ran ClamWin, Ad-aware, and Vundofix and got the same result. However, when I try to check for problems with Spybot, my screen turns blue stating to update drivers. (How do I do that?) The blue screen makes me restart the computer. When I do so, I get a message stating the computer encountered a serious problem and would I like to report it to Microsoft. I have run Hijack This and got this log.

Thanks for your help in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:28:58 PM, on 3/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Goddess\Desktop\HiJackThis.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {aeb641f4-c2cd-4b34-87c7-865ed8fbfcba} - C:\WINDOWS\system32\bametusi.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Mwudom] rundll32.exe "C:\WINDOWS\ipofedaw.dll",e
O4 - HKLM\..\Run: [CPM8b129cc9] Rundll32.exe "c:\windows\system32\yejimoya.dll",a
O4 - HKLM\..\Run: [mikarohiwe] Rundll32.exe "C:\WINDOWS\system32\bekopola.dll",s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [mikarohiwe] Rundll32.exe "C:\WINDOWS\system32\bekopola.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [mikarohiwe] Rundll32.exe "C:\WINDOWS\system32\bekopola.dll",s (User 'NETWORK SERVICE')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\lupayusa.dll ozuewf.dll c:\windows\system32\zomuhiwu.dll bljssq.dll c:\windows\system32\yejimoya.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yejimoya.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yejimoya.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4810 bytes

#2
Rorschach112

Posted 12 March 2009 - 07:15 AM

Ralphie

Retired Staff
47,710 posts

hello

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3
petree

Posted 12 March 2009 - 04:45 PM

Member

Topic Starter
Member
33 posts

Love the Ralph icon! He's my favorite!

Here's the log:
ComboFix 09-03-10.03 - Goddess 2009-03-12 15:20:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.680 [GMT -7:00]
Running from: c:\documents and settings\Goddess\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Goddess\LOCALS~1\Temp\tmp2.tmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\besigaza.dll
c:\windows\system32\bljssq.dll
c:\windows\system32\gavaok.dll
c:\windows\system32\hsylyc.dll
c:\windows\system32\ibasemiw.ini
c:\windows\system32\ifuyadov.ini
c:\windows\system32\lupayusa.dll
c:\windows\system32\ozuewf.dll
c:\windows\system32\phwwhz.dll
c:\windows\system32\tndkio.dll
c:\windows\system32\visegobu.dll
c:\windows\system32\wifokuvi.dll
c:\windows\system32\wonizaki.dll
c:\windows\system32\yimogate.dll
c:\windows\system32\yovorize.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-11 08:37 . 2009-03-11 08:37 <DIR> d-------- C:\VundoFix Backups
2009-03-07 14:25 . 2009-03-07 14:25 133,120 --a------ c:\windows\ipofedaw.dll
2009-03-07 14:13 . 2009-03-07 14:13 41,984 --a------ c:\windows\Chacigulusefube.dll
2009-03-07 14:13 . 2009-03-07 14:13 41,984 --a------ C:\tcrnwc.exe
2009-03-07 14:13 . 2009-03-07 14:13 2 --a------ C:\-2011058182
2009-03-07 14:13 . 2009-03-07 14:13 0 --a------ C:\ootpnl.exe
2009-03-07 14:13 . 2009-03-07 14:13 0 --a------ C:\mfvse.exe
2009-03-07 14:13 . 2009-03-07 14:13 0 --a------ C:\iivopso.exe
2009-03-07 14:13 . 2009-03-07 14:13 0 --a------ C:\cyieqw.exe
2009-03-06 23:16 . 2009-03-06 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 22:25 . 2009-03-06 22:25 <DIR> d-------- c:\documents and settings\Goddess\Application Data\MailFrontier
2009-03-06 07:56 . 2009-03-06 07:56 153 --a------ c:\windows\wininit.ini
2009-03-04 23:26 . 2009-03-04 23:26 <DIR> d-------- c:\documents and settings\Eochaid Ollathair\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-12 22:25 216,704,800 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-12 22:22 2,902,052 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-08 17:22 18,216 ----a-w c:\documents and settings\Lord Harkonnen\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 02:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-06 21:12 84,992 --sha-w c:\windows\fikomake.dll
2009-03-06 14:59 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-16 07:10 72,584 ----a-w c:\windows\zllsputility.exe
2009-02-08 17:26 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-08 16:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-08 16:04 --------- d-----w c:\documents and settings\Goddess\Application Data\Uniblue
2009-02-08 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-07 20:00 18,216 ----a-w c:\documents and settings\Goddess\Application Data\GDIPFONTCACHEV1.DAT
2009-01-13 15:06 --------- d-----w c:\program files\Lavasoft
2009-01-13 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\bametusi.dll
1601-01-01 00:12 48,128 --sha-w c:\windows\system32\bekopola.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{aeb641f4-c2cd-4b34-87c7-865ed8fbfcba}]
48128 --ahs---- c:\windows\system32\bametusi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Mwudom"="c:\windows\ipofedaw.dll" [2009-03-07 133120]
"CPM8b129cc9"="c:\windows\system32\yejimoya.dll" [2009-03-07 84992]
"mikarohiwe"="c:\windows\system32\bekopola.dll" [ 48128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\yejimoya.dll" [2009-03-07 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yejimoya.dll [2009-03-07 84992]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\lupayusa.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\WINDOWS\\explorer.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-08 64160]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 07:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Goddess\Application Data\Mozilla\Firefox\Profiles\wsmimgp8.default\
FF - plugin: c:\documents and settings\Goddess\Application Data\Mozilla\Firefox\Profiles\wsmimgp8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-12 15:26:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
.
**************************************************************************
.
Completion time: 2009-03-12 15:28:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-12 22:28:44

Pre-Run: 132,438,921,216 bytes free
Post-Run: 132,359,528,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

148 --- E O F --- 2009-02-25 18:18:17

#4
Rorschach112

Posted 13 March 2009 - 01:25 PM

Ralphie

Retired Staff
47,710 posts

hello

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo...ot-t231920.html

Collect::
c:\windows\ipofedaw.dll
c:\windows\Chacigulusefube.dll
C:\tcrnwc.exe
C:\-2011058182
C:\ootpnl.exe
C:\mfvse.exe
C:\iivopso.exe
C:\cyieqw.exe
c:\windows\fikomake.dll
c:\windows\system32\bametusi.dll
c:\windows\system32\bekopola.dll

Suspect::

Save this as CFScript.txt

Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

#5
petree

Posted 13 March 2009 - 02:51 PM

Member

Topic Starter
Member
33 posts

Thanks for your help. I got a pop-up asking if I wanted to update ComboFix. I wasn't sure if I should have done so.. so I clicked no. Is that ok?

Here's the log:

ComboFix 09-03-10.03 - Goddess 2009-03-13 13:32:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.565 [GMT -7:00]
Running from: c:\documents and settings\Goddess\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Goddess\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-2011058182
C:\cyieqw.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\iivopso.exe
C:\mfvse.exe
C:\ootpnl.exe
C:\tcrnwc.exe
c:\windows\Chacigulusefube.dll
c:\windows\fikomake.dll
c:\windows\ipofedaw.dll
c:\windows\system32\bametusi.dll
c:\windows\system32\bekopola.dll
c:\windows\system32\ehavogek.ini
c:\windows\system32\mijekn.dll
c:\windows\system32\zesifimi.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 13:41 . 2009-03-13 13:41 121 ---hs---- c:\windows\system32\ehavogek.ini
2009-03-13 12:04 . 2009-03-13 12:04 5,856 ---hs---- c:\windows\system32\higewomu.dll
2009-03-13 12:04 . 2009-03-13 12:04 5,856 ---hs---- c:\windows\system32\gakilime.dll
2009-03-11 08:37 . 2009-03-11 08:37 <DIR> d-------- C:\VundoFix Backups
2009-03-06 23:16 . 2009-03-06 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 22:25 . 2009-03-06 22:25 <DIR> d-------- c:\documents and settings\Goddess\Application Data\MailFrontier
2009-03-06 07:56 . 2009-03-06 07:56 153 --a------ c:\windows\wininit.ini
2009-03-04 23:26 . 2009-03-04 23:26 <DIR> d-------- c:\documents and settings\Eochaid Ollathair\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 20:42 219,803,168 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-13 20:35 2,941,052 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-12 22:39 84,992 --sha-w c:\windows\system32\hariviza.dll
2009-03-12 22:39 79,872 --sha-w c:\windows\system32\kegovahe.dll
2009-03-12 00:25 3,292,160 ----a-w c:\windows\Internet Logs\xDB1B.tmp
2009-03-08 17:22 18,216 ----a-w c:\documents and settings\Lord Harkonnen\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 02:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-07 21:13 84,992 --sha-w c:\windows\system32\yejimoya.dll
2009-03-07 21:13 79,872 --sha-w c:\windows\system32\jupozife.dll
2009-03-07 20:55 2,023,936 ----a-w c:\windows\Internet Logs\xDB1A.tmp
2009-03-07 09:13 84,992 --sha-w c:\windows\system32\pabipihe.dll
2009-03-07 05:24 16,690,420 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-06 14:59 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-06 14:59 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-02 05:21 3,448,832 ----a-w c:\windows\Internet Logs\xDB19.tmp
2009-02-16 07:10 72,584 ----a-w c:\windows\zllsputility.exe
2009-02-16 07:10 1,221,512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-08 17:26 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-08 16:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-08 16:04 --------- d-----w c:\documents and settings\Goddess\Application Data\Uniblue
2009-02-08 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-07 20:00 18,216 ----a-w c:\documents and settings\Goddess\Application Data\GDIPFONTCACHEV1.DAT
2009-01-13 15:06 --------- d-----w c:\program files\Lavasoft
2009-01-13 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_15.27.40.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-12 22:26:24 520,896 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-03-13 20:35:40 522,380 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-03-07 06:36:39 11,264,752 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-03-12 23:03:32 11,402,971 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"CPM8b129cc9"="c:\windows\system32\yejimoya.dll" [2009-03-07 84992]
"8821af55"="c:\windows\system32\kegovahe.dll" [2009-03-12 79872]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\yejimoya.dll" [2009-03-07 84992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\MailFrontier\\mantispm.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-08 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 07:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3489b446-9585-4db4-98b0-85f23d99cbf9} - c:\windows\system32\mijekn.dll
BHO-{aeb641f4-c2cd-4b34-87c7-865ed8fbfcba} - c:\windows\system32\bametusi.dll
HKLM-Run-Mwudom - c:\windows\ipofedaw.dll
HKLM-Run-mikarohiwe - c:\windows\system32\bekopola.dll

.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Goddess\Application Data\Mozilla\Firefox\Profiles\wsmimgp8.default\
FF - plugin: c:\documents and settings\Goddess\Application Data\Mozilla\Firefox\Profiles\wsmimgp8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 13:40:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\system32\ehavogek.ini 121 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
.
**************************************************************************
.
Completion time: 2009-03-13 13:45:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-13 20:45:08
ComboFix2.txt 2009-03-12 22:28:50

Pre-Run: 132,417,810,432 bytes free
Post-Run: 132,399,124,480 bytes free

157 --- E O F --- 2009-02-25 18:18:17

#6
Rorschach112

Posted 13 March 2009 - 02:55 PM

Ralphie

Retired Staff
47,710 posts

you can let it update

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

file::
c:\windows\system32\ehavogek.ini
c:\windows\system32\higewomu.dll
c:\windows\system32\gakilime.dll
c:\windows\system32\hariviza.dll
c:\windows\system32\kegovahe.dll
c:\windows\system32\yejimoya.dll
c:\windows\system32\jupozife.dll
c:\windows\system32\pabipihe.dll

Folder::

Registry::

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

#7
petree

Posted 13 March 2009 - 08:38 PM

Member

Topic Starter
Member
33 posts

Here's the new log:

ComboFix 09-03-12.01 - Goddess 2009-03-13 14:07:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.668 [GMT -7:00]
Running from: c:\documents and settings\Goddess\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Security Suite Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ehavogek.ini

.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-13 13:43 . 2009-03-13 13:43 <DIR> d-------- c:\windows\LastGood
2009-03-13 12:04 . 2009-03-13 12:04 5,856 ---hs---- c:\windows\system32\higewomu.dll
2009-03-13 12:04 . 2009-03-13 12:04 5,856 ---hs---- c:\windows\system32\gakilime.dll
2009-03-11 08:37 . 2009-03-11 08:37 <DIR> d-------- C:\VundoFix Backups
2009-03-06 23:16 . 2009-03-06 23:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-03-06 22:25 . 2009-03-06 22:25 <DIR> d-------- c:\documents and settings\Goddess\Application Data\MailFrontier
2009-03-06 07:56 . 2009-03-06 07:56 153 --a------ c:\windows\wininit.ini
2009-03-04 23:26 . 2009-03-04 23:26 <DIR> d-------- c:\documents and settings\Eochaid Ollathair\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 21:10 221,969,696 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-13 20:35 2,941,052 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-12 22:39 84,992 --sha-w c:\windows\system32\hariviza.dll
2009-03-12 22:39 79,872 --sha-w c:\windows\system32\kegovahe.dll
2009-03-12 00:25 3,292,160 ----a-w c:\windows\Internet Logs\xDB1B.tmp
2009-03-08 17:22 18,216 ----a-w c:\documents and settings\Lord Harkonnen\Application Data\GDIPFONTCACHEV1.DAT
2009-03-08 02:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-08 02:06 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-07 21:13 84,992 --sha-w c:\windows\system32\yejimoya.dll
2009-03-07 21:13 79,872 --sha-w c:\windows\system32\jupozife.dll
2009-03-07 20:55 2,023,936 ----a-w c:\windows\Internet Logs\xDB1A.tmp
2009-03-07 09:13 84,992 --sha-w c:\windows\system32\pabipihe.dll
2009-03-07 05:24 16,690,420 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-06 14:59 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-03-06 14:59 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-02 05:21 3,448,832 ----a-w c:\windows\Internet Logs\xDB19.tmp
2009-02-16 07:10 72,584 ----a-w c:\windows\zllsputility.exe
2009-02-16 07:10 1,221,512 ----a-w c:\windows\system32\zpeng25.dll
2009-02-08 17:26 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-08 16:15 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-08 16:04 --------- d-----w c:\documents and settings\Goddess\Application Data\Uniblue
2009-02-08 16:04 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2009-02-07 20:00 18,216 ----a-w c:\documents and settings\Goddess\Application Data\GDIPFONTCACHEV1.DAT
2009-01-13 15:06 --------- d-----w c:\program files\Lavasoft
2009-01-13 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-12_15.27.40.07 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-03-12 22:26:24 520,896 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2009-03-13 20:47:21 522,380 ----a-w c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2009-03-07 06:36:39 11,264,752 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
+ 2009-03-12 23:03:32 11,402,971 ----a-w c:\windows\system32\ZoneLabs\spyware.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"CPM8b129cc9"="c:\windows\system32\yejimoya.dll" [2009-03-07 84992]
"8821af55"="c:\windows\system32\kegovahe.dll" [2009-03-12 79872]
"Mwudom"="c:\windows\ipofedaw.dll" [BU]
"mikarohiwe"="c:\windows\system32\bekopola.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\yejimoya.dll" [2009-03-07 84992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yejimoya.dll [2009-03-07 84992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\yejimoya.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\MailFrontier\\mantispm.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-08 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951120]
.
Contents of the 'Scheduled Tasks' folder

2009-03-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 07:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Goddess\Application Data\Mozilla\Firefox\Profiles\wsmimgp8.default\
FF - plugin: c:\documents and settings\Goddess\Application Data\Mozilla\Firefox\Profiles\wsmimgp8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 14:10:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-13 14:12:23
ComboFix-quarantined-files.txt 2009-03-13 21:12:19
ComboFix2.txt 2009-03-13 20:45:15
ComboFix3.txt 2009-03-12 22:28:50

Pre-Run: 132,361,527,296 bytes free
Post-Run: 132,349,554,688 bytes free

126 --- E O F --- 2009-02-25 18:18:17

#8
Rorschach112

Posted 14 March 2009 - 12:22 PM

Ralphie

Retired Staff
47,710 posts

hello

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#9
petree

Posted 14 March 2009 - 06:28 PM

Member

Topic Starter
Member
33 posts

Thanks agin for your help!

When I restart my computer, I get three pop-up windows of RUNDLL:
Error loading C:\Windows\system32\bekopola.dll
Error loading C:\Windows\system32\yejimoya.dll
Error loading C:\Windows\system32\ipofedaw.dll
The specific module could not be found

I was wondering if this is related to popups I get with Spybot. I never seem to know which ones to allow change or deny change. For instance I see:
Category: System Startup global entry
Change: Value Added
Entry: MRT
Old data: "C:\Windows\system32\MRT.exe"/R

How do I know when to accept or deny changes?

Also, I could not update Malwarebytes. I waited two hours for it to update. It kept saying "Looking for malwarebytes.org" Being impatient, I just scanned the system without updates. Here's my log:
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

3/14/2009 1:05:09 PM
mbam-log-2009-03-14 (13-05-09).txt

Scan type: Quick Scan
Objects scanned: 74913
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\yejimoya.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm8b129cc9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mikarohiwe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8821af55 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\yejimoya.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\yejimoya.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\yejimoya.dll (Trojan.Vundo.H) -> Delete on reboot.

I did not get a log with Kaspersky. It did not find anything.

#10
Rorschach112

Posted 15 March 2009 - 07:25 AM

Ralphie

Retired Staff
47,710 posts

hello

Download OTListIt2 to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under Custom Scan paste this in

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
%systemroot%\System32\antiwpa.dll
%systemroot%\SYSTEM32\wpa.dll
%systemroot%\setup\scripts\biestart.exe
%systemroot%\system32\drivers\royal.sys
%systemroot%\system32\serauth1.dll
%systemroot%\system32\serauth2.dll
%systemroot%\system32\sysaudio.sys
%systemroot%\system32\wdmaud.sys
%systemroot%\system32\aeaudio.sys
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.Txt. These are saved in the same location as OTListIt2.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

#11
petree

Posted 15 March 2009 - 08:31 AM

Member

Topic Starter
Member
33 posts

Hello,

Thanks for your help.

Here's the OTListIt log:

OTListIt logfile created on: 3/15/2009 7:19:47 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.8 Folder = C:\Documents and Settings\Goddess\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.00 Mb Total Physical Memory | 488.02 Mb Available Physical Memory | 47.70% Memory free
2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.77% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 122.97 Gb Free Space | 82.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEHENNA-C21FF70
Current User Name: Goddess
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
PRC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe (Kaspersky Lab.)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
PRC - C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe (SonicWALL, Inc.)
PRC - C:\WINDOWS\system32\wbem\unsecapp.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Documents and Settings\Goddess\Desktop\OTListIt2.exe (OldTimer Tools)

========== Win32 Services (SafeList) ==========

SRV - (Apple Mobile Device [Auto | Running]) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple, Inc.)
SRV - (Bonjour Service [Auto | Running]) -- C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc.)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (InCDsrvR [Auto | Running]) -- C:\Program Files\Ahead\InCD\InCDsrv.exe (Ahead Software AG)
SRV - (iPod Service [On_Demand | Stopped]) -- C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
SRV - (Lavasoft Ad-Aware Service [Auto | Running]) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (vsmon [Auto | Running]) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe (Check Point Software Technologies LTD)
SRV - (WMPNetworkSvc [On_Demand | Stopped]) -- C:\Program Files\Windows Media Player\WMPNetwk.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (cercsr6 [Boot | Stopped]) -- C:\WINDOWS\System32\drivers\cercsr6.sys (Adaptec, Inc.)
DRV - (ctsfm2k [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys (Creative Technology Ltd)
DRV - (E100B [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys (Intel Corporation)
DRV - (FETNDISB [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\dlkfet5b.sys (D-Link )
DRV - (GEARAspiWDM [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEAR Software Inc.)
DRV - (InCDfs [Disabled | Running]) -- C:\WINDOWS\System32\drivers\InCDfs.sys (Ahead Software AG)
DRV - (InCDPass [System | Running]) -- C:\WINDOWS\System32\DRIVERS\InCDPass.sys (Ahead Software AG)
DRV - (incdrm [System | Running]) -- C:\WINDOWS\System32\drivers\InCDrm.sys (Ahead Software AG)
DRV - (KLIF [System | Running]) -- C:\WINDOWS\system32\DRIVERS\klif.sys (Kaspersky Lab)
DRV - (Lbd [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (nv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)
DRV - (ossrv [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ctoss2k.sys (Creative Technology Ltd.)
DRV - (P17 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\P17.sys (Creative Technology Ltd.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys (Sonic Solutions)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (srescan [Boot | Running]) -- C:\WINDOWS\system32\ZoneLabs\srescan.sys (Check Point Software Technologies LTD)
DRV - (vsdatant [System | Running]) -- C:\WINDOWS\System32\vsdatant.sys (Check Point Software Technologies LTD)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...amp;ar=iesearch
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...p...&ar=msnhome
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.update:
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}:6.0.03
FF - prefs.js..extensions.enabledItems: [email protected]:1.0.0.07076007
FF - prefs.js..extensions.enabledItems: {9C09CB1F-719C-4370-9B9E-6B3E0C4BAC2F}:1.0
FF - prefs.js..extensions.enabledItems: {F4D8DDF5-B13F-4C51-8F0B-94451D609C5F}:1.0
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.4
FF - HKLM\software\mozilla\Firefox\Extensions\\{9C09CB1F-719C-4370-9B9E-6B3E0C4BAC2F}: C:\DOCUMENTS AND SETTINGS\GODDESS\LOCAL SETTINGS\APPLICATION DATA\{9C09CB1F-719C-4370-9B9E-6B3E0C4BAC2F} [2009/03/07 14:25:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{F4D8DDF5-B13F-4C51-8F0B-94451D609C5F}: C:\DOCUMENTS AND SETTINGS\LORD HARKONNEN\LOCAL SETTINGS\APPLICATION DATA\{F4D8DDF5-B13F-4C51-8F0B-94451D609C5F} [2009/03/07 22:23:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.4\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2008/11/21 00:09:51 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.4\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2008/11/16 07:47:45 | 00,000,000 | ---D | M]
[2008/09/05 12:10:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\mozilla\Extensions
[2008/09/05 12:10:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/12/14 12:53:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\mozilla\Firefox\Profiles\wsmimgp8.default\extensions
[2008/03/13 09:04:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\mozilla\Firefox\Profiles\wsmimgp8.default\extensions\[email protected]
[2009/03/12 15:18:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008/11/16 07:47:45 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/02/27 20:49:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2008/11/16 07:47:34 | 00,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008/11/16 07:47:34 | 00,134,656 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {3489b446-9585-4db4-98b0-85f23d99cbf9} - Reg Error: Key error. File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (EWPBrowseObject Class) - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - {aeb641f4-c2cd-4b34-87c7-865ed8fbfcba} - Reg Error: Key error. File not found
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O4 - HKLM..\Run: [CPM8b129cc9] Rundll32.exe "c:\windows\system32\yejimoya.dll",a File not found
O4 - HKLM..\Run: [mikarohiwe] Rundll32.exe "C:\WINDOWS\system32\bekopola.dll",s File not found
O4 - HKLM..\Run: [Mwudom] rundll32.exe "C:\WINDOWS\ipofedaw.dll",e File not found
O4 - HKLM..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - Autorun File - C:\AUTOEXEC.BAT () - [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/03/15 07:15:47 | 00,497,152 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Goddess\Desktop\OTListIt2.exe
[2009/03/14 12:18:34 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Goddess\Application Data\Malwarebytes
[2009/03/14 12:18:31 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/14 12:18:30 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/03/14 12:18:27 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/03/14 12:18:25 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/03/14 12:18:25 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/14 12:16:50 | 02,876,728 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Goddess\Desktop\mbam-setup.exe
[2009/03/14 12:16:29 | 00,000,000 | -HSD | C] -- C:\RECYCLER
[2009/03/14 08:54:33 | 00,000,127 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/03/14 08:54:32 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2009/03/14 08:52:40 | 24,768,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/03/14 08:51:13 | 00,221,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wmpns.dll
[2009/03/13 18:20:34 | 00,041,472 | ---- | C] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.03.13.xls
[2009/03/13 14:19:30 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\ehavogek.ini
[2009/03/13 12:04:58 | 00,005,856 | -HS- | C] () -- C:\WINDOWS\System32\higewomu.dll
[2009/03/13 12:04:58 | 00,005,856 | -HS- | C] () -- C:\WINDOWS\System32\gakilime.dll
[2009/03/12 15:55:05 | 00,040,960 | ---- | C] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.03.12.xls
[2009/03/12 15:28:52 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/03/12 15:19:36 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/03/12 15:19:32 | 00,260,272 | ---- | C] () -- C:\cmldr
[2009/03/12 15:19:30 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/03/12 15:14:24 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/03/12 15:14:24 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/03/12 15:14:24 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/03/12 15:14:24 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/03/12 15:14:24 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009/03/12 15:14:24 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/03/12 15:14:24 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/03/12 15:14:24 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009/03/12 15:14:24 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/03/12 15:14:00 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2009/03/12 15:12:58 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/03/12 15:12:34 | 02,933,518 | R--- | C] () -- C:\Documents and Settings\Goddess\Desktop\ComboFix.exe
[2009/03/12 12:25:02 | 00,024,064 | ---- | C] () -- C:\Documents and Settings\Goddess\My Documents\Phone Directory.doc
[2009/03/11 17:22:01 | 00,401,720 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Goddess\Desktop\HiJackThis.exe
[2009/03/11 08:37:36 | 00,000,000 | ---D | C] -- C:\VundoFix Backups
[2009/03/07 19:36:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Goddess\My Documents\2009 Desktop
[2009/03/07 14:25:43 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Goddess\Local Settings\Application Data\{9C09CB1F-719C-4370-9B9E-6B3E0C4BAC2F}
[2009/03/07 13:45:02 | 16,409,960 | ---- | C] (Safer Networking Limited ) -- C:\Documents and Settings\Goddess\Desktop\spybotsd162.exe
[2009/03/07 09:18:48 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/03/07 08:20:34 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Goddess\Desktop\Spybot - Search & Destroy.lnk
[2009/03/06 23:16:21 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2009/03/06 22:25:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Goddess\Application Data\MailFrontier
[2009/03/06 22:19:12 | 00,148,496 | ---- | C] (Kaspersky Lab) -- C:\WINDOWS\System32\drivers\klif.sys
[2009/03/06 07:56:48 | 00,000,153 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/03/06 07:44:57 | 00,015,360 | ---- | C] () -- C:\Documents and Settings\Goddess\My Documents\Harddrives.xls
[2009/03/04 19:20:17 | 00,040,448 | ---- | C] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.03.04.xls
[2009/03/01 13:07:00 | 00,014,848 | ---- | C] () -- C:\Documents and Settings\Goddess\My Documents\2009 KL.xls

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2009/03/15 07:20:59 | 22,698,5504 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.dat
[2009/03/15 07:15:48 | 00,497,152 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Goddess\Desktop\OTListIt2.exe
[2009/03/15 07:15:09 | 00,001,916 | ---- | M] () -- C:\rollback.ini
[2009/03/15 07:08:48 | 00,351,225 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2009/03/15 07:08:23 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/03/15 07:08:10 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/03/15 07:08:08 | 10,727,66976 | -HS- | M] () -- C:\hiberfil.sys
[2009/03/14 23:34:03 | 03,038,972 | -HS- | M] () -- C:\WINDOWS\System32\drivers\fidbox.idx
[2009/03/14 12:18:31 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/03/14 12:17:00 | 02,876,728 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Goddess\Desktop\mbam-setup.exe
[2009/03/14 11:50:04 | 00,114,176 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/03/14 08:54:34 | 00,000,127 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2009/03/14 08:52:14 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/03/13 18:44:31 | 00,041,472 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.03.13.xls
[2009/03/13 14:19:30 | 00,000,121 | -HS- | M] () -- C:\WINDOWS\System32\ehavogek.ini
[2009/03/13 14:10:06 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/03/13 14:02:08 | 02,933,518 | R--- | M] () -- C:\Documents and Settings\Goddess\Desktop\ComboFix.exe
[2009/03/13 13:40:43 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/03/13 13:34:28 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\gogajoso
[2009/03/13 13:04:49 | 00,040,960 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.03.12.xls
[2009/03/13 12:04:58 | 00,005,856 | -HS- | M] () -- C:\WINDOWS\System32\higewomu.dll
[2009/03/13 12:04:58 | 00,005,856 | -HS- | M] () -- C:\WINDOWS\System32\gakilime.dll
[2009/03/12 15:39:31 | 00,084,992 | -HS- | M] () -- C:\WINDOWS\System32\hariviza.dll
[2009/03/12 15:25:29 | 00,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2009/03/12 15:19:36 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/03/12 12:25:03 | 00,024,064 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\Phone Directory.doc
[2009/03/11 10:12:18 | 00,401,720 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Goddess\Desktop\HiJackThis.exe
[2009/03/11 05:48:49 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/03/09 14:11:16 | 00,356,120 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/03/09 14:11:16 | 00,311,604 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/03/09 14:11:16 | 00,039,992 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/03/08 09:28:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2009/03/07 14:13:30 | 00,079,872 | -HS- | M] () -- C:\WINDOWS\System32\jupozife.dll
[2009/03/07 13:46:31 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Goddess\Desktop\Spybot - Search & Destroy.lnk
[2009/03/07 13:45:27 | 16,409,960 | ---- | M] (Safer Networking Limited ) -- C:\Documents and Settings\Goddess\Desktop\spybotsd162.exe
[2009/03/07 02:13:03 | 00,084,992 | -HS- | M] () -- C:\WINDOWS\System32\pabipihe.dll
[2009/03/06 07:59:27 | 00,015,688 | ---- | M] () -- C:\WINDOWS\System32\lsdelete.exe
[2009/03/06 07:59:21 | 00,064,160 | ---- | M] (Lavasoft AB) -- C:\WINDOWS\System32\drivers\Lbd.sys
[2009/03/06 07:56:51 | 00,000,153 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2009/03/06 07:56:37 | 00,015,360 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\Harddrives.xls
[2009/03/04 19:20:18 | 00,040,448 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.03.04.xls
[2009/03/01 14:48:07 | 00,014,848 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\2009 KL.xls
[2009/02/25 12:55:00 | 24,768,960 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/02/19 03:18:14 | 00,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/02/18 18:47:32 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2009/02/15 14:14:59 | 00,040,448 | ---- | M] () -- C:\Documents and Settings\Goddess\My Documents\Address Book 2009.02.10.xls

========== LOP Check ==========

[2009/03/14 12:18:25 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\All Users\Application Data
[2009/02/08 10:26:00 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
[2008/02/13 17:20:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2007/12/06 23:16:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ahead
[2007/10/25 14:19:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple
[2008/03/05 01:59:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Apple Computer
[2007/12/10 14:49:35 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/02/08 09:04:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverScanner
[2009/01/13 08:01:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lavasoft
[2007/10/25 13:21:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2009/03/14 12:18:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/03/06 23:16:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2007/10/28 13:15:46 | 00,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Application Data\Microsoft
[2009/03/07 19:07:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2007/11/20 03:07:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
[2009/03/14 12:18:34 | 00,000,000 | RH-D | M] -- C:\Documents and Settings\Goddess\Application Data
[2007/10/25 14:07:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\.clamwin
[2008/01/26 22:19:19 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Adobe
[2007/12/10 22:44:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Apple Computer
[2008/07/15 12:24:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\DivX
[2007/11/28 20:54:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Google
[2007/08/27 07:12:17 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Identities
[2008/01/05 11:22:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Leadertech
[2007/10/25 17:33:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Macromedia
[2009/03/06 22:25:54 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\MailFrontier
[2009/03/14 12:18:34 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Malwarebytes
[2008/03/29 07:45:00 | 00,000,000 | --SD | M] -- C:\Documents and Settings\Goddess\Application Data\Microsoft
[2008/03/13 09:06:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Move Networks
[2008/09/05 12:10:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Mozilla
[2008/03/09 20:44:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Sun
[2009/02/08 09:04:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Uniblue
[2008/02/24 13:21:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Goddess\Application Data\Ventrilo
[2009/03/08 09:28:02 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2004/08/04 05:00:00 | 00,000,065 | RH-- | M] () -- C:\WINDOWS\Tasks\desktop.ini
[2009/03/15 07:08:23 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\Tasks\SA.DAT

========== Purity Check ==========

========== Custom Scans ==========

========== Net Services ==========

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\NetSvcs

6to4 - -
AppMgmt - C:\WINDOWS\System32\appmgmts.dll - (Microsoft Corporation)
AudioSrv - C:\WINDOWS\System32\audiosrv.dll - (Microsoft Corporation)
Browser - C:\WINDOWS\System32\browser.dll - (Microsoft Corporation)
CryptSvc - C:\WINDOWS\System32\cryptsvc.dll - (Microsoft Corporation)
DMServer - C:\WINDOWS\System32\dmserver.dll - (Microsoft Corp.)
DHCP - C:\WINDOWS\System32\dhcpcsvc.dll - (Microsoft Corporation)
ERSvc - C:\WINDOWS\System32\ersvc.dll - (Microsoft Corporation)
EventSystem - C:\WINDOWS\system32\es.dll - (Microsoft Corporation)
FastUserSwitchingCompatibility - C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation)
HidServ - C:\WINDOWS\System32\hidserv.dll - File not found
Ias - -
Iprip - -
Irmon - -
LanmanServer - C:\WINDOWS\System32\srvsvc.dll - (Microsoft Corporation)
LanmanWorkstation - C:\WINDOWS\System32\wkssvc.dll - (Microsoft Corporation)
Messenger - C:\WINDOWS\System32\msgsvc.dll - (Microsoft Corporation)
Netman - C:\WINDOWS\System32\netman.dll - (Microsoft Corporation)
Nla - C:\WINDOWS\System32\mswsock.dll - (Microsoft Corporation)
Ntmssvc - C:\WINDOWS\system32\ntmssvc.dll - (Microsoft Corporation)
NWCWorkstation - -
Nwsapagent - -
Rasauto - C:\WINDOWS\System32\rasauto.dll - (Microsoft Corporation)
Rasman - C:\WINDOWS\System32\rasmans.dll - (Microsoft Corporation)
Remoteaccess - C:\WINDOWS\System32\mprdim.dll - (Microsoft Corporation)
Schedule - C:\WINDOWS\system32\schedsvc.dll - (Microsoft Corporation)
Seclogon - C:\WINDOWS\System32\seclogon.dll - (Microsoft Corporation)
SENS - C:\WINDOWS\system32\sens.dll - (Microsoft Corporation)
Sharedaccess - C:\WINDOWS\System32\ipnathlp.dll - (Microsoft Corporation)
SRService - C:\WINDOWS\system32\srsvc.dll - (Microsoft Corporation)
Tapisrv - C:\WINDOWS\System32\tapisrv.dll - (Microsoft Corporation)
Themes - C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation)
TrkWks - C:\WINDOWS\system32\trkwks.dll - (Microsoft Corporation)
W32Time - C:\WINDOWS\system32\w32time.dll - (Microsoft Corporation)
WZCSVC - C:\WINDOWS\System32\wzcsvc.dll - (Microsoft Corporation)
Wmi - C:\WINDOWS\System32\advapi32.dll - (Microsoft Corporation)
WmdmPmSp - -
winmgmt - C:\WINDOWS\system32\wbem\WMIsvc.dll - (Microsoft Corporation)
wscsvc - C:\WINDOWS\system32\wscsvc.dll - (Microsoft Corporation)
xmlprov - C:\WINDOWS\System32\xmlprov.dll - (Microsoft Corporation)
BITS - C:\WINDOWS\system32\qmgr.dll - (Microsoft Corporation)
wuauserv - C:\WINDOWS\system32\wuauserv.dll - (Microsoft Corporation)
ShellHWDetection - C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation)
helpsvc - C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll - (Microsoft Corporation)
WmdmPmSN - C:\WINDOWS\system32\MsPMSNSv.dll - (Microsoft Corporation)

======= End Net Services =========

========== SafeBoot-Minimal Settings ==========

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\

AppMgmt - %SystemRoot%\System32\appmgmts.dll - (Microsoft Corporation)
Base - Driver Group
Boot Bus Extender - Driver Group
Boot file system - Driver Group
CryptSvc - %SystemRoot%\System32\cryptsvc.dll - (Microsoft Corporation)
DcomLaunch - %SystemRoot%\system32\rpcss.dll - (Microsoft Corporation)
dmadmin - %SystemRoot%\System32\dmadmin.exe - (Microsoft Corp., Veritas Software)
dmboot.sys - %SystemRoot%\System32\drivers\dmboot.sys - (Microsoft Corp., Veritas Software)
dmio.sys - %SystemRoot%\System32\drivers\dmio.sys - (Microsoft Corp., Veritas Software)
dmload.sys - %SystemRoot%\System32\drivers\dmload.sys - (Microsoft Corp., Veritas Software.)
dmserver - %SystemRoot%\System32\dmserver.dll - (Microsoft Corp.)
EventLog - %SystemRoot%\system32\services.exe - (Microsoft Corporation)
File system - Driver Group
Filter - Driver Group
HelpSvc - %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (Microsoft Corporation)
Lavasoft Ad-Aware Service - %ProgramFiles%\Lavasoft\Ad-Aware\AAWService.exe - (Lavasoft)
Netlogon - %SystemRoot%\system32\lsass.exe - (Microsoft Corporation)
PCI Configuration - Driver Group
PlugPlay - %SystemRoot%\system32\services.exe - (Microsoft Corporation)
PNP Filter - Driver Group
Primary disk - Driver Group
RpcSs - %SystemRoot%\System32\rpcss.dll - (Microsoft Corporation)
SCSI Class - Driver Group
sermouse.sys - Driver
sr.sys - %SystemRoot%\system32\DRIVERS\sr.sys - (Microsoft Corporation)
SRService - %SystemRoot%\system32\srsvc.dll - (Microsoft Corporation)
System Bus Extender - Driver Group
vga.sys - Driver
vgasave.sys - %SystemRoot%\System32\drivers\vga.sys - (Microsoft Corporation)
WinMgmt - %SystemRoot%\system32\wbem\WMIsvc.dll - (Microsoft Corporation)
{36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
{4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} - System
{4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
{71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

======= End SafeBoot-Minimal =========

========== SafeBoot-Network Settings ==========

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\

AFD - %SystemRoot%\System32\drivers\afd.sys - (Microsoft Corporation)
AppMgmt - %SystemRoot%\System32\appmgmts.dll - (Microsoft Corporation)
Base - Driver Group
Boot Bus Extender - Driver Group
Boot file system - Driver Group
Browser - %SystemRoot%\System32\browser.dll - (Microsoft Corporation)
CryptSvc - %SystemRoot%\System32\cryptsvc.dll - (Microsoft Corporation)
DcomLaunch - %SystemRoot%\system32\rpcss.dll - (Microsoft Corporation)
Dhcp - %SystemRoot%\System32\dhcpcsvc.dll - (Microsoft Corporation)
dmadmin - %SystemRoot%\System32\dmadmin.exe - (Microsoft Corp., Veritas Software)
dmboot.sys - %SystemRoot%\System32\drivers\dmboot.sys - (Microsoft Corp., Veritas Software)
dmio.sys - %SystemRoot%\System32\drivers\dmio.sys - (Microsoft Corp., Veritas Software)
dmload.sys - %SystemRoot%\System32\drivers\dmload.sys - (Microsoft Corp., Veritas Software.)
dmserver - %SystemRoot%\System32\dmserver.dll - (Microsoft Corp.)
DnsCache - %SystemRoot%\System32\dnsrslvr.dll - (Microsoft Corporation)
EventLog - %SystemRoot%\system32\services.exe - (Microsoft Corporation)
File system - Driver Group
Filter - Driver Group
HelpSvc - %SystemRoot%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (Microsoft Corporation)
ip6fw.sys - %SystemRoot%\system32\DRIVERS\Ip6Fw.sys - (Microsoft Corporation)
ipnat.sys - %SystemRoot%\system32\DRIVERS\ipnat.sys - (Microsoft Corporation)
LanmanServer - %SystemRoot%\System32\srvsvc.dll - (Microsoft Corporation)
LanmanWorkstation - %SystemRoot%\System32\wkssvc.dll - (Microsoft Corporation)
Lavasoft Ad-Aware Service - %ProgramFiles%\Lavasoft\Ad-Aware\AAWService.exe - (Lavasoft)
LmHosts - %SystemRoot%\System32\lmhsvc.dll - (Microsoft Corporation)
Messenger - %SystemRoot%\System32\msgsvc.dll - (Microsoft Corporation)
NDIS - %SystemRoot%\System32\drivers\ndis.sys - (Microsoft Corporation)
NDIS Wrapper - Driver Group
Ndisuio - %SystemRoot%\system32\DRIVERS\ndisuio.sys - (Microsoft Corporation)
NetBIOS - %SystemRoot%\system32\DRIVERS\netbios.sys - (Microsoft Corporation)
NetBIOSGroup - Driver Group
NetBT - %SystemRoot%\system32\DRIVERS\netbt.sys - (Microsoft Corporation)
NetDDEGroup - Driver Group
Netlogon - %SystemRoot%\system32\lsass.exe - (Microsoft Corporation)
NetMan - %SystemRoot%\System32\netman.dll - (Microsoft Corporation)
Network - Driver Group
NetworkProvider - Driver Group
NtLmSsp - %SystemRoot%\system32\lsass.exe - (Microsoft Corporation)
PCI Configuration - Driver Group
PlugPlay - %SystemRoot%\system32\services.exe - (Microsoft Corporation)
PNP Filter - Driver Group
PNP_TDI - Driver Group
Primary disk - Driver Group
rdpcdd.sys - %SystemRoot%\System32\DRIVERS\RDPCDD.sys - (Microsoft Corporation)
rdpdd.sys - %SystemRoot%\System32\rdpdd.dll - (Microsoft Corporation)
rdpwd.sys - %SystemRoot%\System32\drivers\rdpwd.sys - (Microsoft Corporation)
rdsessmgr - %SystemRoot%\system32\sessmgr.exe - (Microsoft Corporation)
RpcSs - %SystemRoot%\System32\rpcss.dll - (Microsoft Corporation)
SCSI Class - Driver Group
sermouse.sys - Driver
SharedAccess - %SystemRoot%\System32\ipnathlp.dll - (Microsoft Corporation)
sr.sys - %SystemRoot%\system32\DRIVERS\sr.sys - (Microsoft Corporation)
SRService - %SystemRoot%\system32\srsvc.dll - (Microsoft Corporation)
Streams Drivers - Driver Group
System Bus Extender - Driver Group
Tcpip - %SystemRoot%\system32\DRIVERS\tcpip.sys - (Microsoft Corporation)
TDI - Driver Group
tdpipe.sys - %SystemRoot%\System32\drivers\tdpipe.sys - (Microsoft Corporation)
tdtcp.sys - %SystemRoot%\System32\drivers\tdtcp.sys - (Microsoft Corporation)
termservice - %SystemRoot%\System32\termsrv.dll - (Microsoft Corporation)
vga.sys - Driver
vgasave.sys - %SystemRoot%\System32\drivers\vga.sys - (Microsoft Corporation)
vsmon - %SystemRoot%\system32\ZoneLabs\vsmon.exe - (Check Point Software Technologies LTD)
WinMgmt - %SystemRoot%\system32\wbem\WMIsvc.dll - (Microsoft Corporation)
WZCSVC - %SystemRoot%\System32\wzcsvc.dll - (Microsoft Corporation)
{36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
{4D36E972-E325-11CE-BFC1-08002BE10318} - Net
{4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
{4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
{4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
{4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} - System
{4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
{71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

======= End SafeBoot-Network =========

========== ActiveX Components ==========

{08B0E5C0-4FCB-11CF-AAA5-00401C608500}: Java (Sun)
{10072CEC-8CC1-11D1-986E-00A0C955B42F}: Vector Graphics Rendering (VML)
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}: NetShow
{22d6f312-b0f6-11d0-94ab-0080c74c7e95}: Microsoft Windows Media Player 6.4
{283807B5-2C60-11D0-A31D-00AA00B92C03}: DirectAnimation
{2C7339CF-2B09-4501-B3F3-F3508C9228ED}: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
{36f8ec70-c29a-11d1-b5c7-0000f8051515}: Dynamic HTML Data Binding for Java
{3af36230-a269-11d1-b5bf-0000f8051515}: Offline Browsing Pack
{3bf42070-b3b1-11d1-b5c5-0000f8051515}: Uniscribe
{4278c270-a269-11d1-b5bf-0000f8051515}: Advanced Authoring
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
{44BBA842-CC51-11CF-AAFA-00AA00B6015B}: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
{44BBA848-CC51-11CF-AAFA-00AA00B6015C}: DirectShow
{44BBA855-CC51-11CF-AAFA-00AA00B6015F}: DirectDrawEx
{45ea75a0-a269-11d1-b5bf-0000f8051515}: Internet Explorer Help
{4f216970-c90c-11d1-b5c7-0000f8051515}: DirectAnimation Java Classes
{4f645220-306d-11d2-995d-00c04f98bbc9}: Microsoft Windows Script 5.7
{5056b317-8d4c-43ee-8543-b9d1e234b8f4}: Security Update for Windows XP (KB923789)
{5945c046-1e7d-11d1-bc44-00c04fd912be}: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
{5A8D6EE0-3E18-11D0-821E-444553540000}: ICW
{5fd399c0-a70a-11d1-9948-00c04f98bbc9}: Internet Explorer Setup Tools
{630b1da0-b465-11d1-9948-00c04f98bbc9}: Browsing Enhancements
{6BF52A52-394A-11d3-B153-00C04F79FAA6}: Microsoft Windows Media Player
{6fab99d0-bab8-11d1-994a-00c04f98bbc9}: MSN Site Access
{73FA19D0-2D75-11D2-995D-00C04F98BBC9}: Web Folders
{7790769C-0471-11d2-AF11-00C04FA35D02}: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
{89820200-ECBD-11cf-8B85-00AA005B4340}: regsvr32.exe /s /n /i:U shell32.dll
{89820200-ECBD-11cf-8B85-00AA005B4383}: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
{9381D8F2-0288-11D0-9501-00AA00B911A5}: Dynamic HTML Data Binding
{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}:
{C9E9A340-D1F1-11D0-821E-444553540600}: Internet Explorer Core Fonts
{CC2A9BA0-3BDD-11D0-821E-444553540000}: Task Scheduler
{CDD7975E-60F8-41d5-8149-19E51D6F71D0}: Windows Movie Maker v2.1
{D27CDB6E-AE6D-11cf-96B8-444553540000}: Shockwave Flash
{de5aed00-a4bf-11d1-9948-00c04f98bbc9}: HTML Help
{E92B03AB-B707-11d2-9CBD-0000F87A369E}: Active Directory Service Interface
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}: C:\WINDOWS\system32\ieudinit.exe
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}: C:\WINDOWS\inf\unregmp2.exe /ShowWMP
>{26923b43-4d38-484f-9b9e-de460746276c}: C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

======= End ActiveX =========

< %systemroot%\System32\antiwpa.dll >

< %systemroot%\SYSTEM32\wpa.dll >

< %systemroot%\setup\scripts\biestart.exe >

< %systemroot%\system32\drivers\royal.sys >

< %systemroot%\system32\serauth1.dll >

< %systemroot%\system32\serauth2.dll >

< %systemroot%\system32\sysaudio.sys >

< %systemroot%\system32\wdmaud.sys >

< %systemroot%\system32\aeaudio.sys >
< End of report >

#12
petree

Posted 15 March 2009 - 08:32 AM

Member

Topic Starter
Member
33 posts

Here's the Extras log:

OTListIt Extras logfile created on: 3/15/2009 7:19:47 AM - Run 1
OTListIt2 by OldTimer - Version 2.0.3.8 Folder = C:\Documents and Settings\Goddess\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1023.00 Mb Total Physical Memory | 488.02 Mb Available Physical Memory | 47.70% Memory free
2.40 Gb Paging File | 2.01 Gb Available in Paging File | 83.77% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 122.97 Gb Free Space | 82.51% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GEHENNA-C21FF70
Current User Name: Goddess
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner (Kaspersky Lab.)
C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour (Apple Inc.)
C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes (Apple Inc.)
C:\WINDOWS\system32\ZoneLabs\vsmon.exe:*:Enabled:vsmon (Check Point Software Technologies LTD)
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe:*:Enabled:mantispm (SonicWALL, Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP6700D" = Canon iP6700D
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E04F83B-2AB9-4301-9EF7-E86307F79C72}" = Google Earth
"{3248F0A8-6813-11D6-A77B-00B0D0160030}" = Java™ 6 Update 3
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{80FD852F-5AAC-4129-B931-06AAFFA43138}" = iTunes
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A9CA9E18-F14C-4875-83A5-2CC40340FA95}" = Microsoft Global IME for Office XP (Korean)
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{BFD96B89-B769-4CD6-B11E-E79FFD46F067}" = QuickTime
"{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}" = 530TX+
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"Canon iP6700D User Registration" = Canon iP6700D User Registration
"CanonMyPrinter" = Canon My Printer
"Celestia_is1" = Celestia 1.4.1
"ClamWin Free Antivirus_is1" = ClamWin Free Antivirus 0.94.1
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"getPlus®_dll" = getPlus®_dll
"Guild Wars" = Guild Wars
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{C71A1FD7-EB23-45AA-A9AA-8DFEC0881875}" = 530TX+
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MCU PDUiP6700DMon.exe" = Canon iP6700D Memory Card Utility
"Mozilla Firefox (3.0.4)" = Mozilla Firefox (3.0.4)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero PhotoShow Elite" = Nero PhotoShow Elite
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Pharaoh" = Pharaoh
"Spybot - Search & Destroy_is1" = Spybot - Search & Destroy 1.5.2.20
"VN_VUIns_Rhine_D-Link" = D-Link PCI Fast Ethernet Adapter
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"ZoneAlarm Security Suite" = ZoneAlarm Security Suite

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/12/2008 3:09:27 PM | Computer Name = GEHENNA-C21FF70 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20080.31114, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/29/2008 9:55:28 PM | Computer Name = GEHENNA-C21FF70 | Source = Application Error | ID = 1000
Description = Faulting application acrord32.exe, version 8.1.0.137, faulting module
acrord32.dll, version 8.1.2.86, fault address 0x003bbcd0.

Error - 5/15/2008 7:31:34 PM | Computer Name = GEHENNA-C21FF70 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.8.20080.40413, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 6/6/2008 10:21:13 AM | Computer Name = GEHENNA-C21FF70 | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.5.1.15, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 6/6/2008 10:22:18 AM | Computer Name = GEHENNA-C21FF70 | Source = Application Hang | ID = 1002
Description = Hanging application LSUpdateManager.exe, version 7.0.2.6, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/10/2008 12:15:29 AM | Computer Name = GEHENNA-C21FF70 | Source = Application Hang | ID = 1002
Description = Hanging application Ad-Aware2007.exe, version 7.0.2.7, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 3/15/2009 10:08:24 AM | Computer Name = GEHENNA-C21FF70 | Source = E100B | ID = 5003
Description = Intel® PRO/100 VE Network Connection : Could not find an adapter.

Error - 3/15/2009 10:08:24 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:08:24 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:08:24 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:08:24 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:08:24 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:08:34 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:09:11 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:19:47 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

Error - 3/15/2009 10:20:47 AM | Computer Name = GEHENNA-C21FF70 | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom1, has a bad block.

< End of report >

#13
Rorschach112

Posted 15 March 2009 - 08:38 AM

Ralphie

Retired Staff
47,710 posts

hello

Run OTList2.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTLI
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O2 - BHO: (no name) - {3489b446-9585-4db4-98b0-85f23d99cbf9} - Reg Error: Key error. File not found
O2 - BHO: (no name) - {aeb641f4-c2cd-4b34-87c7-865ed8fbfcba} - Reg Error: Key error. File not found
O4 - HKLM..\Run: [CPM8b129cc9] Rundll32.exe "c:\windows\system32\yejimoya.dll",a File not found
O4 - HKLM..\Run: [mikarohiwe] Rundll32.exe "C:\WINDOWS\system32\bekopola.dll",s File not found
O4 - HKLM..\Run: [Mwudom] rundll32.exe "C:\WINDOWS\ipofedaw.dll",e File not found
[2009/03/13 14:19:30 | 00,000,121 | -HS- | C] () -- C:\WINDOWS\System32\ehavogek.ini
[2009/03/13 12:04:58 | 00,005,856 | -HS- | C] () -- C:\WINDOWS\System32\higewomu.dll
[2009/03/13 12:04:58 | 00,005,856 | -HS- | C] () -- C:\WINDOWS\System32\gakilime.dll
[2009/03/13 13:34:28 | 00,011,168 | -H-- | M] () -- C:\WINDOWS\System32\gogajoso
[2009/03/13 12:04:58 | 00,005,856 | -HS- | M] () -- C:\WINDOWS\System32\higewomu.dll
[2009/03/13 12:04:58 | 00,005,856 | -HS- | M] () -- C:\WINDOWS\System32\gakilime.dll
[2009/03/12 15:39:31 | 00,084,992 | -HS- | M] () -- C:\WINDOWS\System32\hariviza.dll
[2009/03/07 14:13:30 | 00,079,872 | -HS- | M] () -- C:\WINDOWS\System32\jupozife.dll
[2009/03/07 02:13:03 | 00,084,992 | -HS- | M] () -- C:\WINDOWS\System32\pabipihe.dll

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
Then post a new OTL2 log ( don't check the boxes beside LOP Check or Purity this time )