Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware, XP AntiSpyware 2009, Malwarebytes Freezing PC


  • Please log in to reply
13 replies to this topic

#1 vb28

vb28

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 29 November 2008 - 12:38 PM

Hi,

I have Windows XP Professional installed on my PC, about 3 days ago I started getting this error message

ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes."

By the spyware? Creahes? Who writes this stuff?

"Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware.
Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended)


But I didn’t buy or install any programs recommended by the message, this might be spyware that I might have gotten from a website.

Also popups and ads started to show up as well when I do searches.

After some research, I found that Malwarebytes’ Anti-malware seems to resolve this problem,

After running the scans and restarting the computer,

I got this error message

Error loading c:\windows\system32\mimovelu.dll

After clicking okay… after 5 mins of running the PC fine, all the programs start to run slow and stop working…and I have no choice but to do a manuel restart and the same problems continues.

Basicly it is freezing my PC and I believe that it is reinstalling the program…

I also tried to run Malwarebytes in safe mode, it finds the corrupted files and delete them but it keeps coming back…





Here is Hijackthis in normal mode








Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-29 00:00:19
Microsoft Windows XP Professional Service Pack 2
System drive C: has 35 GB (23%) free of 157 GB
Total RAM: 2047 MB (72% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:19 AM, on 29/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\Notepad2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Administrator\Desktop\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {a08b85cf-6b11-4347-b210-c14b4f3473f7} - C:\WINDOWS\system32\vavusani.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeFireTray] C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [Azureus] C:\Program Files\Azureus\Azureus.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\VistaCodecPack\QT\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [jiwurizipu] Rundll32.exe "C:\WINDOWS\system32\mimovelu.dll",s
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Google Update] "C:\Users\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [jiwurizipu] Rundll32.exe "C:\WINDOWS\system32\mimovelu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Startup: Visual Task Tips.lnk = C:\ppApps\VisualTaskTips\VisualTaskTips.exe
O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Download with BitKinex - C:\Program Files\BitKinex\ieext_cp.htm
O8 - Extra context menu item: &Register in BitKinex - C:\Program Files\BitKinex\ieext_reg.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: intu-qt2007 - {026BF40D-BA05-467B-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\rserver30\r3god.dll C:\WINDOWS\system32\livukafa.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitKinex File Transfer Service (BitKinex) - Unknown owner - C:\Program Files\BitKinex\bitkinexsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Google Update Service (gupdate1c8e6965254493c) (gupdate1c8e6965254493c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\system32\rserver30\RServer3.exe
O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 12825 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}]
IE to GetRight Helper - C:\Program Files\GetRight\xx2gr.dll [2007-07-18 246848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java™ Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-10-03 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a08b85cf-6b11-4347-b210-c14b4f3473f7}]
C:\WINDOWS\system32\vavusani.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-10-03 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2008-10-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{af83e43c-dd2b-4787-826b-31b17dee52ed} - QT Breadcrumbs Address Bar - C:\WINDOWS\system32\mscoree.dll [2007-10-24 282112]
{d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - QT TabBar - C:\WINDOWS\system32\mscoree.dll [2007-10-24 282112]
{D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - QT Tab Standard Buttons - C:\WINDOWS\system32\mscoree.dll [2007-10-24 282112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VistaDrive"=C:\WINDOWS\VistaDrive\VistaDrive.exe [2006-10-05 280779]
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-04-15 579584]
"McAfeeUpdaterUI"=C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe [2004-10-05 139320]
"Network Associates Error Reporting Service"=C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe [2004-02-18 147514]
"McAfeeFireTray"=C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\Firetray.exe [2005-04-12 655420]
"AAWTray"=C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe []
"UnlockerAssistant"=C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-07 15872]
"SystemTray"=C:\WINDOWS\system32\SysTray.Exe [2001-08-23 3072]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2006-05-01 843776]
"SoundMAX"=C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2006-04-09 729088]
"JMB36X Configure"=C:\WINDOWS\system32\JMRaidSetup.exe [2006-10-30 1953792]
"JMB36X IDE Setup"=C:\WINDOWS\JM\JMInsIDE.exe [2006-10-30 36864]
"Azureus"=C:\Program Files\Azureus\Azureus.exe [2008-03-10 254976]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2007-12-23 185896]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe [2005-06-10 217088]
"WinFastDTV"=C:\Program Files\WinFast\WFDTV\DTVSchdl.exe [2006-12-06 69632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2006-08-30 7630848]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=C:\WINDOWS\system32\NvMCTray.dll [2006-08-30 86016]
"googletalk"=C:\Program Files\Google\Google Talk\googletalk.exe [2007-01-01 3739648]
"nmctxth"=C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe [2008-05-16 648504]
"QuickTime Task"=C:\Program Files\VistaCodecPack\QT\qttask.exe [2008-09-06 413696]
"PWRISOVM.EXE"=C:\Program Files\PowerISO\PWRISOVM.EXE [2007-08-06 200704]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2008-10-22 399504]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2007-10-09 194560]
"Corel Photo Downloader"=C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [2007-08-27 531272]
"jiwurizipu"=C:\WINDOWS\system32\mimovelu.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WIAWizardMenu"=C:\WINDOWS\system32\sti_ci.dll [2007-10-09 541184]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"=C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe [2006-08-04 62976]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2007-10-09 40448]
"Skype"=C:\Program Files\Skype\Phone\Skype.exe [2008-11-07 21633320]
"Veoh"=C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-09-26 3660848]
"Google Update"=C:\Users\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-08-29 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe [2007-08-27 531272]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2007-10-09 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CubeDesktop]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [2004-08-09 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe [2008-11-02 942080]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fraps]
C:\Fraps\fraps.exe [2007-07-12 2928296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-09-08 289576]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LELA]
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe [2008-08-06 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
C:\WINDOWS\system32\oodtray.exe [2007-05-10 2512392]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerTweak Menu]
C:\WINDOWS\system32\mmm.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
C:\Program Files\Windows Sidebar\sidebar.exe [2007-09-25 1232384]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
C:\Program Files\WinFast\WFDTV\WFWIZ.exe [2006-12-04 372736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
C:\PROGRA~1\Metacafe\METACA~1.EXE [2008-06-29 145736]

C:\Users\All Users\Start Menu\Programs\Startup
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\gprs.exe
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe
MultiMon Taskbar.lnk - C:\Program Files\MMTaskbar\MultiMon.exe

C:\Users\Administrator\Start Menu\Programs\Startup
Metacafe.lnk - C:\Program Files\Metacafe\MetacafeAgent.exe
Visual Task Tips.lnk - C:\ppApps\VisualTaskTips\VisualTaskTips.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\Windows\system32\rserver30\r3god.dll C:\WINDOWS\system32\livukafa.dll "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll [2007-10-09 229376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll [2007-01-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINDOWS\system32\livukafa.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"SynchronousMachineGroupPolicy"=0
"SynchronousUserGroupPolicy"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoSMMyPictures"=1
"NoSMHelp"=1
"NoSMConfigurePrograms"=1
"NoActiveDesktop"=0
"NoBandCustomize"=0
"NoMovingBands"=0
"NoCloseDragDropBands"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoSMConfigurePrograms"=
"NoToolbarCustomize"=
"NoBandCustomize"=
"NoActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Grisoft\AVG7\avgemc.exe"="C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\Program Files\IncrediMail\bin\IncMail.exe"="C:\Program Files\IncrediMail\bin\IncMail.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\ImpCnt.exe"="C:\Program Files\IncrediMail\bin\ImpCnt.exe:*:Disabled:IncrediMail"
"C:\Program Files\IncrediMail\bin\ImApp.exe"="C:\Program Files\IncrediMail\bin\ImApp.exe:*:Disabled:IncrediMail"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Azureus\Azureus.exe"="C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus"
"C:\ppApps\WirelessNavigator\WiFiNav.exe"="C:\ppApps\WirelessNavigator\WiFiNav.exe:*:Enabled:WiFiNav"
"C:\ppApps\MSN8.5b2\msnmsgr.exe"="C:\ppApps\MSN8.5b2\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\SmartFTP Client\SmartFTP.exe"="C:\Program Files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\Program Files\Google\Google Talk\googletalk.exe"="C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk"
"C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe"="C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Nakido\nakido.exe"="C:\Program Files\Nakido\nakido.exe:*:Enabled:Nakido"
"C:\Users\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll"="C:\Users\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"C:\Users\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe"="C:\Users\Administrator\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.bat - edit - C:\WINDOWS\system32\Notepad2.exe %1
.cmd - edit - C:\WINDOWS\system32\Notepad2.exe %1
.inf - open - C:\WINDOWS\system32\Notepad2.exe %1
.ini - open - C:\WINDOWS\system32\Notepad2.exe %1
.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"
.reg - edit - C:\WINDOWS\system32\Notepad2.exe %1
.txt - open - C:\WINDOWS\system32\Notepad2.exe %1
.vbs - edit - C:\WINDOWS\system32\Notepad2.exe %1

======List of files/folders created in the last 1 months======

2008-11-28 23:28:41 ----D---- C:\Program Files\trend micro
2008-11-28 23:28:39 ----D---- C:\rsit
2008-11-28 22:49:10 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-28 18:42:37 ----D---- C:\Users\All Users\Application Data\Spybot - Search & Destroy
2008-11-28 18:42:37 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-28 17:53:32 ----SHD---- C:\WINDOWS\CSC
2008-11-28 15:39:33 ----A---- C:\Fade.ini
2008-11-28 14:59:47 ----D---- C:\WINDOWS.0
2008-11-24 22:12:03 ----D---- C:\Users\Administrator\Application Data\Malwarebytes
2008-11-24 22:11:56 ----D---- C:\Users\All Users\Application Data\Malwarebytes
2008-11-24 22:11:56 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-12 21:02:35 ----D---- C:\Program Files\MSXML 6.0
2008-11-12 21:02:07 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-12 21:01:22 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-11-09 10:53:00 ----D---- C:\Users\Administrator\Application Data\Advanced Find and Replace 4
2008-11-09 10:53:00 ----D---- C:\Program Files\Advanced Find and Replace 4
2008-11-05 11:25:00 ----D---- C:\Program Files\FileZilla FTP Client
2008-11-05 11:24:16 ----D---- C:\Program Files\FileZilla Server

======List of files/folders modified in the last 1 months======

2008-11-29 00:00:19 ----D---- C:\WINDOWS\Temp
2008-11-28 23:59:20 ----A---- C:\WINDOWS\system32\Notepad2.ini
2008-11-28 23:28:41 ----D---- C:\Program Files
2008-11-28 23:26:27 ----D---- C:\Program Files\Mozilla Firefox
2008-11-28 23:26:02 ----AD---- C:\WINDOWS\system32
2008-11-28 22:53:39 ----SD---- C:\WINDOWS\Tasks
2008-11-28 22:49:10 ----RD---- C:\WINDOWS
2008-11-28 22:48:13 ----D---- C:\Program Files\Nakido
2008-11-28 22:48:09 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-28 22:48:04 ----D---- C:\WINDOWS\Registration
2008-11-28 22:47:57 ----D---- C:\Users\All Users\Application Data\VMware
2008-11-28 22:47:48 ----A---- C:\ptdebug.txt
2008-11-28 22:47:33 ----D---- C:\Users\Administrator\Application Data\Azureus
2008-11-28 22:47:12 ----D---- C:\Program Files\Common Files\Akamai
2008-11-28 22:47:09 ----D---- C:\WINDOWS\system32\ServiceLogs
2008-11-28 22:44:33 ----SH---- C:\boot.ini
2008-11-28 22:44:32 ----A---- C:\WINDOWS\win.ini
2008-11-28 22:44:32 ----A---- C:\WINDOWS\system.ini
2008-11-28 22:15:44 ----D---- C:\Users\Administrator\Application Data\Skype
2008-11-28 20:14:16 ----D---- C:\WINDOWS\Prefetch
2008-11-28 19:53:51 ----D---- C:\Users\All Users\Application Data\Metacafe
2008-11-28 19:53:51 ----D---- C:\Users\Administrator\Application Data\Metacafe
2008-11-28 19:45:26 ----D---- C:\WINDOWS\system32\drivers
2008-11-28 15:37:45 ----D---- C:\Users\Administrator\Application Data\skypePM
2008-11-28 15:35:57 ----D---- C:\Users\Administrator\Application Data\AVG7
2008-11-28 05:30:38 ----RD---- C:\Users
2008-11-28 05:24:30 ----D---- C:\Program Files\Windows Media Player
2008-11-28 05:24:30 ----D---- C:\Program Files\NetMeeting
2008-11-28 05:24:28 ----D---- C:\Program Files\Common Files\Services
2008-11-28 05:24:26 ----D---- C:\Program Files\Outlook Express
2008-11-28 05:24:23 ----D---- C:\Program Files\Internet Explorer
2008-11-28 05:24:14 ----D---- C:\Program Files\Movie Maker
2008-11-28 05:23:54 ----D---- C:\Program Files\Common Files\System
2008-11-28 05:22:19 ----D---- C:\Program Files\Windows Media Connect 2
2008-11-28 05:21:59 ----D---- C:\Program Files\Messenger
2008-11-28 05:21:46 ----D---- C:\Program Files\Windows NT
2008-11-25 11:57:57 ----D---- C:\Program Files\Azureus
2008-11-25 00:41:47 ----A---- C:\WINDOWS\ModemLog_Bluetooth DUN Modem.txt
2008-11-25 00:41:46 ----A---- C:\WINDOWS\ModemLog_Bluetooth Fax Modem.txt
2008-11-24 21:58:38 ----D---- C:\Program Files\Replay AV 8
2008-11-24 21:57:59 ----D---- C:\Program Files\TrueLaunchBar
2008-11-24 21:56:18 ----SHD---- C:\WINDOWS\Installer
2008-11-24 21:53:12 ----HD---- C:\Program Files\InstallShield Installation Information
2008-11-24 21:52:58 ----A---- C:\WINDOWS\MegaManager.INI
2008-11-24 21:51:12 ----D---- C:\Program Files\DAEMON Tools
2008-11-24 20:40:40 ----D---- C:\Users\Administrator\Application Data\FileZilla
2008-11-24 11:51:25 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-22 09:24:05 ----D---- C:\WINDOWS\Help
2008-11-22 09:24:05 ----AHD---- C:\WINDOWS\inf
2008-11-21 10:57:02 ----D---- C:\Program Files\AllToAVI
2008-11-21 10:53:23 ----D---- C:\Converted
2008-11-16 12:17:43 ----D---- C:\Program Files\Google
2008-11-15 09:30:02 ----D---- C:\WINDOWS\system32\oodag
2008-11-12 21:28:25 ----D---- C:\Users\Administrator\Application Data\Mozilla
2008-11-12 21:02:08 ----DC---- C:\WINDOWS\system32\dllcache
2008-11-12 21:02:06 ----HD---- C:\WINDOWS\$hf_mig$
2008-11-12 21:01:28 ----A---- C:\WINDOWS\imsins.BAK
2008-11-12 21:01:01 ----D---- C:\WINDOWS\WinSxS
2008-11-09 17:06:02 ----D---- C:\Program Files\DivX Player Generator
2008-11-09 16:28:43 ----A---- C:\onemoreanimeplayercode.txt
2008-11-02 08:58:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-21 10760]
R1 FireTDI;McAfee Desktop Firewall TDI Driver; \??\C:\WINDOWS\system32\Drivers\FireTDI.sys []
R1 nltdi;nltdi; \??\C:\WINDOWS\system32\drivers\nltdi.sys []
R1 raddrvv3;raddrvv3; \??\C:\WINDOWS\system32\rserver30\raddrvv3.sys []
R3 AnyDVD;AnyDVD; C:\WINDOWS\System32\Drivers\AnyDVD.sys [2007-10-11 96832]
R3 BT;Bluetooth PAN Network Adapter; C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [2007-03-05 18320]
R3 ElbyDelay;ElbyDelay; C:\WINDOWS\System32\Drivers\ElbyDelay.sys [2007-02-15 11984]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2007-10-09 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-16 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-16 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-12 5810]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2005-06-10 21760]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2006-07-26 83712]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-10-22 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2007-04-08 59392]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2006-10-22 20608]
R3 VPCNetS2;Virtual Machine Network Services Driver; C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys [2007-01-28 59280]
S1 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1999-09-09 25244]
S1 atitray;atitray; \??\C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys []
S1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-25 821856]
S1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-10-22 4224]
S1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-10-22 27776]
S1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-07 25160]
S1 FireHook;McAfee Desktop Firewall; \??\C:\WINDOWS\system32\Drivers\Firehk5x.sys []
S1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2007-10-09 36096]
S1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2007-08-06 33052]
S1 vmm;Virtual Machine Monitor; \??\C:\WINDOWS\system32\Drivers\vmm.sys []
S2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-10-22 4960]
S2 BT848;Conexant's BtPCI WDM Video Capture; C:\WINDOWS\system32\DRIVERS\BT848.sys [2008-06-28 371349]
S2 hcmon;VMware hcmon; \??\C:\WINDOWS\system32\Drivers\hcmon.sys []
S2 pnarp;Pure Networks Device Discovery Driver; C:\WINDOWS\system32\DRIVERS\pnarp.sys [2008-05-16 23992]
S2 purendis;Pure Networks Wireless Driver; C:\WINDOWS\system32\DRIVERS\purendis.sys [2008-05-16 25272]
S2 rspndr;Link-Layer Topology Discovery Responder; C:\WINDOWS\system32\DRIVERS\rspndr.sys [2007-10-09 62336]
S2 VMnetBridge;VMware Bridge Protocol; C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys [2007-04-12 30256]
S2 VMnetuserif;VMware Network Application Interface; \??\C:\WINDOWS\system32\drivers\vmnetuserif.sys []
S2 VMparport;VMware VMparport; \??\C:\WINDOWS\system32\Drivers\VMparport.sys []
S2 vmx86;VMware vmx86; \??\C:\WINDOWS\system32\Drivers\vmx86.sys []
S2 vstor2;Vstor2 Virtual Storage Driver; \??\C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vstor2.sys []
S3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2006-05-02 229376]
S3 AEAudio;AE Audio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2006-04-27 93824]
S3 APLMp50;APLMp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\APLMp50.sys [2005-02-16 18816]
S3 BlueletAudio;Bluetooth Audio Service; C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [2007-06-24 34312]
S3 BlueletSCOAudio;Bluetooth SCO Audio Service; C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys [2007-06-24 27656]
S3 Btcsrusb;Bluetooth USB For Bluetooth Service; C:\WINDOWS\System32\Drivers\btcusb.sys [2007-06-24 38920]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 DisplayLinkmirror;DisplayLinkmirror; C:\WINDOWS\system32\DRIVERS\DisplayLinkmirrorport.sys []
S3 firelm01;firelm01; \??\C:\WINDOWS\system32\drivers\firelm01.sys []
S3 MBAMProtector;MBAMProtector; \??\C:\WINDOWS\system32\drivers\mbam.sys []
S3 mirrorv3;mirrorv3; C:\WINDOWS\system32\DRIVERS\rminiv3.sys [2006-10-31 3328]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-04 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2005-08-02 32512]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2006-08-30 3958496]
S3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2007-10-22 47360]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2006-03-17 392960]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 UltraMonMirror;UltraMonMirror; C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys []
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-09-05 36864]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 VComm;Virtual Serial port driver; C:\WINDOWS\system32\DRIVERS\VComm.sys [2007-03-05 34448]
S3 VcommMgr;Bluetooth VComm Manager Service; C:\WINDOWS\System32\Drivers\VcommMgr.sys [2007-03-05 44304]
S3 VMnetAdapter;VMware Virtual Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys [2007-04-12 16560]
S3 WFFALCON;Leadtek WinFast PVR3000 Series Driver; C:\WINDOWS\system32\drivers\wffalcon.sys [2006-10-13 125568]
S3 WFIOCTL;WFIOCTL; \??\C:\Program Files\WinFast\WFDTV\WFIOCTL.SYS []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2007-01-18 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2007-01-18 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Akamai;Akamai; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-05 116040]
S2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-10-25 418816]
S2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-10-22 49664]
S2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-21 406528]
S2 BitKinex;BitKinex File Transfer Service; C:\Program Files\BitKinex\bitkinexsvc.exe [2006-04-19 25088]
S2 BlueSoleil Hid Service;BlueSoleil Hid Service; C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe [2007-12-27 166520]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
S2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2004-08-09 194560]
S2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2004-08-09 102912]
S2 FileZilla Server;FileZilla Server FTP server; C:\Program Files\FileZilla Server\FileZilla Server.exe [2008-11-02 587776]
S2 FireSvc;McAfee Desktop Firewall Service; C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe [2005-04-12 766011]
S2 gupdate1c8e6965254493c;Google Update Service (gupdate1c8e6965254493c); C:\Program Files\Google\Update\GoogleUpdate.exe [2008-08-29 133104]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2008-10-03 147456]
S2 LinksysUpdater;Linksys Updater; C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-06-26 204800]
S2 MBAMService;MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2008-10-22 170640]
S2 McAfeeFramework;McAfee Framework Service; C:\Program Files\Network Associates\Common Framework\FrameworkService.exe [2004-10-05 102463]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2007-10-02 322120]
S2 Nakido;Nakido; C:\Program Files\Nakido\nakido.e [2008-11-28 65536]
S2 nlsvc;NetLimiter; C:\Program Files\NetLimiter 2 Pro\nlsvc.exe [2007-05-14 516096]
S2 nmservice;Pure Networks Platform Service; C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe [2008-05-16 648504]
S2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2006-08-30 155715]
S2 O&O Defrag;O&O Defrag; C:\WINDOWS\system32\oodag.exe [2007-05-10 1050120]
S2 ProtexisLicensing;ProtexisLicensing; C:\WINDOWS\system32\PSIService.exe [2007-06-04 177704]
S2 RServer3;Radmin Server V3; C:\WINDOWS\system32\rserver30\RServer3.exe [2007-02-01 1235032]
S2 Start BT in service;Start BT in service; C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [2007-12-27 51816]
S2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-12-13 49152]
S2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S2 VMAuthdService;VMware Authorization Service; C:\Program Files\VMware\VMware Workstation\vmware-authd.exe [2007-04-12 224048]
S2 VMnetDHCP;VMware DHCP Service; C:\WINDOWS\system32\vmnetdhcp.exe [2007-04-12 113456]
S2 vmount2;VMware Virtual Mount Manager Extended; C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe [2007-04-12 269104]
S2 VMware NAT Service;VMware NAT Service; C:\WINDOWS\system32\vmnat.exe [2007-04-12 142128]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-08 536872]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-27 89136]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2005-08-02 86016]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 AM

Posted 30 November 2008 - 12:05 PM

Hello vb28 and welcome to BC. Let's see what we can find.

Before running a new scan let's clean out the temporoary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).
Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.

I will review it when it comes in.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 02 December 2008 - 08:45 PM

thanks for your reply i have attached the otscanit.txt

i forgot to disable word wrap

Attached Files


Edited by vb28, 02 December 2008 - 09:56 PM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 AM

Posted 02 December 2008 - 10:00 PM

Hi vb28. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\evipajeh.ini
%systemroot%\system32\hejapive.dll
%systemroot%\system32\migisibi.dll
%systemroot%\system32\nosadepu.dll
%systemroot%\system32\rserver30\r3god.dll
%systemroot%\system32\ruyarewu
%systemroot%\system32\waritili.dll
%systemroot%\system32\xtuimkqeyjxj
%systemroot%\system32\yajulose.dll
%systemroot%\system32\zeveluhe.dll
%systemroot%\vistadrive\vistadrive.exe
c:\users\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\users\all users\application data\microsoft\network\downloader\qmgr1.dat
c:\windows\system32\hizupoye.dll 
c:\windows\system32\rokonuge.dll 
c:\windows\system32\nosadepu.dll
Folders to delete:
%SystemRoot%\VistaDrive\
C:\Windows\system32\rserver30\

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {a08b85cf-6b11-4347-b210-c14b4f3473f7} [HKLM] -> %SystemRoot%\system32\waritili.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-500\] > -> HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" [HKLM] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "5c2a4783" -> %SystemRoot%\system32\hejapive.dll [rundll32.exe "C:\WINDOWS\system32\hejapive.dll",b]
YY -> "CPM5f19741f" -> %SystemRoot%\system32\nosadepu.dll [Rundll32.exe "c:\windows\system32\nosadepu.dll",a]
YY -> "jiwurizipu" -> %SystemRoot%\system32\migisibi.dll [Rundll32.exe "C:\WINDOWS\system32\migisibi.dll",s]
YY -> "VistaDrive" -> %SystemRoot%\VistaDrive\vistadrive.exe [C:\WINDOWS\VistaDrive\VistaDrive.exe]
< Run [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "jiwurizipu" -> %SystemRoot%\system32\migisibi.dll [Rundll32.exe "C:\WINDOWS\system32\migisibi.dll",s]
< Run [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "jiwurizipu" -> %SystemRoot%\system32\migisibi.dll [Rundll32.exe "C:\WINDOWS\system32\migisibi.dll",s]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> [Reg Error: Value  does not exist or could not be read.]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YY -> C:\Windows\system32\rserver30\r3god.dll c:\windows\system32\hizupoye.dll c:\windows\system32\rokonuge.dll c:\windows\system32\nosadepu.dll -> %SystemRoot%\system32\rserver30\r3god.dll
YY -> C:\WINDOWS\system32\waritili.dll -> %SystemRoot%\system32\waritili.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\nosadepu.dll [SSODL]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\nosadepu.dll [STS]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\IncrediMail\bin\ImApp.exe" -> C:\Program Files\IncrediMail\bin\ImApp.exe [C:\Program Files\IncrediMail\bin\ImApp.exe:*:Disabled:IncrediMail]
YN -> "C:\Program Files\IncrediMail\bin\IncMail.exe" -> C:\Program Files\IncrediMail\bin\IncMail.exe [C:\Program Files\IncrediMail\bin\IncMail.exe:*:Disabled:IncrediMail]
[Files/Folders - Created Within 30 Days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 14 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> evipajeh.ini -> %SystemRoot%\System32\evipajeh.ini
[Files/Folders - Modified Within 30 Days]
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 14 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> qmgr0.dat -> C:\Users\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Users\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
NY -> ruyarewu -> %SystemRoot%\System32\ruyarewu
NY -> evipajeh.ini -> %SystemRoot%\System32\evipajeh.ini
NY -> nosadepu.dll -> %SystemRoot%\System32\nosadepu.dll
NY -> hejapive.dll -> %SystemRoot%\System32\hejapive.dll
NY -> zeveluhe.dll -> %SystemRoot%\System32\zeveluhe.dll
NY -> yajulose.dll -> %SystemRoot%\System32\yajulose.dll
NY -> xtuimkqeyjxj -> %SystemRoot%\System32\xtuimkqeyjxj
[Custom Items]
:files
%SystemRoot%\VistaDrive\
C:\Windows\system32\rserver30\
c:\windows\system32\hizupoye.dll 
c:\windows\system32\rokonuge.dll 
c:\windows\system32\nosadepu.dll
:end
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt2 scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt2 fix log (look in the OTScanIt2 folder for a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt2 scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 03 December 2008 - 11:05 PM

Hi,

1st - for some reason i am not getting notification from this forum i enabled in the post and in the control panel

2nd- well i did step 1, the problem is when the computer got to windows is shutdowning part it go stuck and i did force shutdown, and every time the windows start it get stuck loading your personal setting and it does restart....

3rd - i can not enter into safe mode (via f8 or del option on start up) so i was wondering is there any problem i can put on usb key to force it to start in safe mode

thanks

Vb28

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 AM

Posted 04 December 2008 - 12:48 AM

Hi vb28. Try booting to the Administrator account, or a different account with administrator privileges.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 04 December 2008 - 07:25 PM

Hi vb28. Try booting to the Administrator account, or a different account with administrator privileges.

Cheers.

OT


OT,

i was in the administrator account...when i did step 1, but now in the restart it is not getting pass the loading setting part...the pc restart...every time it gets to the loading personal setting part...

and i can not login into on rebooting my pc doesn't have that option ....so i was wondering if there safe mode exe or apps that i could put on the usb key

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 AM

Posted 04 December 2008 - 09:13 PM

Hi vb28. Yeah, sometimes those infections can mess with the login process. There aren't any programs that can be run from other drives that will allow you to boot into the operating system on C:. There are things like the recovery console or a PE disk that allow you to boot to a separate operating system.

I doubt that this will work but let's try it anyway. Boot to the boot menu and try "Last known good configuration". If that doesn't work then we can try a repair install.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 05 December 2008 - 12:24 AM

requested files are attached

Attached Files



#10 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 05 December 2008 - 12:27 AM

and here is the newOTScanIt.Txt

it was too large to upload to forum but i have uploaded it to here

http://www.zshare.net/download/5227463876e9ce62/

thanks

all is done in safemode...had problems normal mode hope that is not problem

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 AM

Posted 05 December 2008 - 09:58 AM

Hi vb28. That looks better. Now let's cleanup the remnants:

Step #1

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\dotewawa.dll
%systemroot%\system32\opanagar.ini
C:\WINDOWS\SYSTEM32\RAGANAPO.DLL
C:\PPAPPS\CCFILETRANSFER\PATCH.EXE
C:\PPAPPS\FASTFOLDERS\PATCH.EXE
C:\PPAPPS\VIDEOAVATAR\VIDEOAVATAR.EXE
C:\PPAPPS\IDINSTALLWATCH\IDINSTALLWATCH.EXE
C:\PPAPPS\MY BACKUP PRO\MYBACKUPPRO.EXE
Folders to delete:
C:\PROGRAM FILES\CRACKERSKIT

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt2. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "CPM5f19741f" -> %SystemRoot%\system32\dotewawa.dll [Rundll32.exe "c:\windows\system32\dotewawa.dll",a]
< RunOnce [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
YN -> "Cleanup" -> %SystemDrive%\cleanup.exe [C:\cleanup.exe]
YN -> "OTScanIt" -> %UserProfile%\Desktop\OTScanIt2\OTScanIt2.exe ["C:\Users\Administrator\Desktop\OTScanIt2\OTScanIt2.exe"]
YN -> "WIAWizardMenu" -> %SystemRoot%\system32\sti_ci.dll [RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "CPM5f19741f" -> %SystemRoot%\system32\dotewawa.dll [Rundll32.exe "c:\windows\system32\dotewawa.dll",a]
< Run [HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-500\] > -> HKEY_USERS\S-1-5-21-1123561945-963894560-839522115-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "CPM5f19741f" -> %SystemRoot%\system32\dotewawa.dll [Rundll32.exe "c:\windows\system32\dotewawa.dll",a]
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
YN -> C:\Windows\system32\rserver30\r3god.dll -> %SystemRoot%\system32\rserver30\r3god.dll
YN -> c:\windows\system32\hizupoye.dll -> %SystemRoot%\system32\hizupoye.dll
YN -> c:\windows\system32\rokonuge.dll -> %SystemRoot%\system32\rokonuge.dll
YY -> c:\windows\system32\dotewawa.dll -> %SystemRoot%\system32\dotewawa.dll
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\dotewawa.dll [SSODL]
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YY -> "{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}" [HKLM] -> %SystemRoot%\system32\dotewawa.dll [STS]
[Files/Folders - Created Within 30 Days]
NY -> opanagar.ini -> %SystemRoot%\System32\opanagar.ini
[Files/Folders - Modified Within 30 Days]
NY -> opanagar.ini -> %SystemRoot%\System32\opanagar.ini
NY -> dotewawa.dll -> %SystemRoot%\System32\dotewawa.dll
[Custom Items]
:files
C:\WINDOWS\SYSTEM32\RAGANAPO.DLL
:end
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt2 will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt2 scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt2 and locate the OTScanIt.txt file in the folder where OTScanIt2.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt2 fix log (look in the OTScanIt2 folder for a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Upload the new OTScanIt2 log to me here.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 06 December 2008 - 11:39 AM

Hi OT,

here is the next batch


The latest OTScanIt2 to the link that you provided me.

Attached Files



#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:02 AM

Posted 06 December 2008 - 01:21 PM

Hi vb28. Everything looks good. Go ahead and run the system normally for a couple of days to see if there are any lingering malware issues and then get back with me so we can do some final cleanup.

It does appear that there are some missing files for McAfee. Check that to make sure that it is functioning properly (scans, updating extec) and if not, that will probably need to be reinstalled. AV apps are one of the first things that most malware attempt to disable and that would not be surprising to have that disabled.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 vb28

vb28
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 06 December 2008 - 04:46 PM

thanks OT,

i did the cleaning in safemode, but when i change back to normal mode ...once again i get stuck on "loading your personal setting...." and it restarts after that....

last time this happened .... i tried the next day i was able to go into normal mode.... i will wait it out this time as well...but not sure what is causing it maybe one of the files are deleted....




-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users