Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Win32.Monder (Among Other Things)


  • This topic is locked This topic is locked
16 replies to this topic

#1 natesteine21

natesteine21

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 10 December 2008 - 10:43 PM

Alright I'll give you a brief overview. I've got some junk on my computer as you will see below. I am generally the only person using this computer as my wife has her own laptop but recently she's been having trouble connecting to our wireless internet with her laptop so she's been using my computer to search for jobs. Anyway, I haven't had any virus/malware/pop up issues until recently. I had spybot s&d running in the background and as a general rule I was "cool and the gang." Well since that point I've been having issues, the biggest issue/first trouble I've noticed is that spybot would pop up windows wanting me to allow changes to be made to my registry. So, I downloaded Malwarebytes as I noticed that had some good reviews. After running a scan on that I got a rootkit.agent file warning. After restarting and rerunning I couldn't get rid of it so I came here for help. Then Kaspersky found the other stuff below.

I've downloaded RSIT and when i try to run it I get an error message that states: "AutoIT Error; Error: Incorrect Number of parameters in function call."

One other thing and I'll have to get some more info on this, I think this happened by allowing some changes to the registry, I'm missing some .dll files on start up. I'll post the names of those after my next restart.

Any and all help will be appreciated.

Kaspersky Scan
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 10, 2008 22:20:53
Records in database: 1450451
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Nate Smith\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 40110
Threat name 5
Infected objects 8
Suspicious objects 0
Duration of the scan 01:47:05

File name Threat name Threats count
C:\WINDOWS\system32\ffkggf.dll Infected: Trojan.Win32.Monder.abke 1
C:\WINDOWS\system32\geBrPIAQ.dll Infected: Trojan.Win32.Agent.asus 1
C:\WINDOWS\system32\gpmqte.dll Infected: Trojan.Win32.Monder.aaxp 1
C:\WINDOWS\system32\hrrixr.dll Infected: Trojan.Win32.Monder.abke 1
C:\WINDOWS\system32\onglvyud.dll Infected: Trojan.Win32.Monder.aaxp 1
C:\WINDOWS\system32\vodewenu.dll Infected: Trojan.Win32.Monder.abjq 1
C:\WINDOWS\system32\wpv721228549885.cpx Infected: not-a-virus:AdWare.Win32.Agent.hza 1
C:\WINDOWS\system32\ybtpepoy.dll Infected: Trojan.Win32.Monder.abke 1
The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 12 December 2008 - 04:54 PM

Hello! :thumbsup:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I may ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please copy and paste both logs into your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 14 December 2008 - 07:03 PM

attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Version 1.0)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player 11
Adobe® Photoshop® Album Starter Edition 3.0
Apple Mobile Device Support
Apple Software Update
Bonjour
Conquest 4.0
FileASSASSIN
HijackThis 2.0.2
Hotfix for Windows XP (KB926239)
HyperLoad
Intel® Extreme Graphics Driver
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
LimeWire 4.14.8
Macromedia Flash Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.4)
NTI Backup NOW! 3
NTI CD-Maker
NTI CD-Maker Gold
NTI DriveBackup! 3
Poker Tracker Version 2.16.00e
PokerAce Hud (remove only)
PokerStars
PokerStove version 1.21
PostgreSQL 8.2
QuickTime
QuickTime for Windows (32-bit)
Qwest QuickCare
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SideWinder Game Voice
SkyCaddie Desktop
Sony USB Driver
Spybot - Search & Destroy
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885626
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip

==== Event Viewer Messages ===================


==== End Of File ===========================


DDS.txt


DDS (Version 1.0.1) - NTFSx86
Run by Nate Smith at 17:59:19.59 on Sun 12/14/2008
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11

============== Running Processes ===============


============== Pseudo HJT Report ===============

mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: {29a5996a-db9d-482c-8d95-7d260e574814} - c:\windows\system32\fuduhapo.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {40D41A8B-D79B-43D7-99A7-9EE0F344C385} - c:\program files\aim toolbar\AIMBar.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [DAEMON Tools-1033] "c:\program files\d-tools\daemon.exe" -lang 1033
mRun: [tgcmd] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
mRun: [POEngine]
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [yilowibazi] Rundll32.exe "c:\windows\system32\gagagude.dll",s
mRun: [CPM6f4ca149] Rundll32.exe "c:\windows\system32\yujetata.dll",a
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: { - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\partygaming\partycasino\RunCasino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk -
IE: {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - c:\program files\partygaming\partycasino\RunCasino.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: qiuict.dll c:\windows\system32\nupanogo.dll c:\windows\system32\guserohu.dll c:\windows\system32\yujetata.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yujetata.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Notification Packages = scecli c:\windows\system32\guserohu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\natesm~1\applic~1\mozilla\firefox\profiles\ejsnjfxg.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?p=1151429099

============= SERVICES / DRIVERS ===============

RSPR?S?C?P?P?01234RSPR?S?C?P?P?01234

=============== Created Last 30 ================

2008-12-14 17:51 1,589,605 ---sh--- c:\windows\system32\ibodivek.ini
2008-12-12 10:43 1,566,775 ---sh--- c:\windows\system32\imogedod.ini
2008-12-09 19:41 <DIR> --d----- c:\program files\Trend Micro
2008-12-07 11:58 577,024 ac------ c:\windows\system32\dllcache\user32.dll
2008-12-07 11:55 <DIR> --d----- c:\windows\ERUNT
2008-12-07 11:51 <DIR> --d----- C:\SDFix
2008-12-06 23:03 <DIR> --dsh--- c:\windows\TmF0ZSBTbWl0aA
2008-12-06 22:42 65,024 a------- c:\windows\system32\geBrPIAQ.dll
2008-12-06 22:42 198,710 a------- c:\windows\system32\wpv721228549885.cpx
2008-12-04 19:49 <DIR> --d----- c:\program files\FileASSASSIN
2008-12-03 09:43 129,024 a------- c:\windows\system32\hrrixr.dll
2008-12-01 20:42 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-01 17:28 129,024 a------- c:\windows\system32\gpmqte.dll
2008-12-01 17:28 129,024 a------- c:\windows\system32\onglvyud.dll
2008-12-01 11:48 <DIR> --d----- c:\windows\system32\Adobe
2008-11-30 22:05 231 a------- c:\windows\wininit.ini
2008-11-30 15:48 129,024 a------- c:\windows\system32\ffkggf.dll
2008-11-30 15:48 129,024 a------- c:\windows\system32\ybtpepoy.dll

==================== Find3M ====================

2008-12-14 17:50 85,215 a--sh--- c:\windows\system32\kevidobi.dll
2008-12-14 17:50 91,374 a--sh--- c:\windows\system32\yujetata.dll
2008-12-14 17:50 3,233 a--sh--- c:\windows\system32\mmf.sys
2008-12-12 10:26 91,431 a--sh--- c:\windows\system32\hedagako.dll
2008-12-12 10:26 84,761 a--sh--- c:\windows\system32\dodegomi.dll
2008-12-10 23:57 60,695 a------- c:\windows\system32\tomewope.dll
2008-12-10 23:57 91,248 a------- c:\windows\system32\papupona.dll
2008-12-10 22:52 61,526 a--sh--- c:\windows\system32\vozizowu.dll
2008-12-10 21:52 91,817 a--sh--- c:\windows\system32\sojojazu.dll
2008-12-10 21:52 62,677 a--sh--- c:\windows\system32\henemate.dll
2008-12-10 20:51 61,572 a--sh--- c:\windows\system32\talogevi.dll
2008-12-10 08:51 89,183 a--sh--- c:\windows\system32\vodewenu.dll
2008-12-09 13:05 64,566 a--sh--- c:\windows\system32\pipiwuhi.dll
2008-11-01 14:15 2,002 a------- c:\windows\Sysvxd.exe
2008-10-22 16:10 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 16:10 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-01-23 13:54 27,208 ac------ c:\docume~1\natesm~1\applic~1\GDIPFONTCACHEV1.DAT
2008-09-10 23:58 60,695 a--sh--- c:\windows\system32\fuduhapo.dll
2008-09-10 23:58 60,695 a--sh--- c:\windows\system32\gagagude.dll
2008-09-10 23:58 60,695 a--sh--- c:\windows\system32\guserohu.dll
2008-09-10 20:51 12,288 a--sh--- c:\windows\system32\wifukolu.dll
2005-07-29 16:24 472 a--shr-- c:\windows\tmf0zsbtbwl0aa\nAIXtm1nvq5XuE.vbs

============= FINISH: 18:00:04.71 ===============


Sam,

Thanks for any and all help you give me I really appreciate it.

Nate

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 15 December 2008 - 10:27 AM

We've got some work to do.

Click Start -> Control Panel -> Add Remove Programs and uninstall these programs:

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Viewpoint Manager (Remove Only)
Viewpoint Media Player




================


Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\ibodivek.ini
    c:\windows\system32\imogedod.ini
    c:\windows\system32\geBrPIAQ.dll
    c:\windows\system32\wpv721228549885.cpx
    c:\windows\system32\hrrixr.dll
    c:\windows\system32\gpmqte.dll
    c:\windows\system32\onglvyud.dll
    c:\windows\system32\ffkggf.dll
    c:\windows\system32\ybtpepoy.dll
    c:\windows\system32\kevidobi.dll
    c:\windows\system32\yujetata.dll
    c:\windows\system32\hedagako.dll
    c:\windows\system32\dodegomi.dll
    c:\windows\system32\tomewope.dll
    c:\windows\system32\papupona.dll
    c:\windows\system32\vozizowu.dll
    c:\windows\system32\sojojazu.dll
    c:\windows\system32\henemate.dll
    c:\windows\system32\talogevi.dll
    c:\windows\system32\vodewenu.dll
    c:\windows\system32\pipiwuhi.dll
    c:\windows\Sysvxd.exe
    c:\windows\system32\fuduhapo.dll
    c:\windows\system32\gagagude.dll
    c:\windows\system32\guserohu.dll
    c:\windows\system32\wifukolu.dll
    c:\windows\tmf0zsbtbwl0aa\nAIXtm1nvq5XuE.vbs
    
    :Commands
    [EmptyTemp]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



==================



Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 15 December 2008 - 07:56 PM

OTMOVEIT LOG

========== FILES ==========
File/Folder c:\windows\system32\ibodivek.ini not found.
File/Folder c:\windows\system32\imogedod.ini not found.
DllUnregisterServer procedure not found in c:\windows\system32\geBrPIAQ.dll
c:\windows\system32\geBrPIAQ.dll NOT unregistered.
c:\windows\system32\geBrPIAQ.dll moved successfully.
c:\windows\system32\wpv721228549885.cpx moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\hrrixr.dll
c:\windows\system32\hrrixr.dll NOT unregistered.
c:\windows\system32\hrrixr.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\gpmqte.dll
c:\windows\system32\gpmqte.dll NOT unregistered.
c:\windows\system32\gpmqte.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\onglvyud.dll
c:\windows\system32\onglvyud.dll NOT unregistered.
c:\windows\system32\onglvyud.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ffkggf.dll
c:\windows\system32\ffkggf.dll NOT unregistered.
c:\windows\system32\ffkggf.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\ybtpepoy.dll
c:\windows\system32\ybtpepoy.dll NOT unregistered.
c:\windows\system32\ybtpepoy.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\kevidobi.dll
c:\windows\system32\kevidobi.dll NOT unregistered.
c:\windows\system32\kevidobi.dll moved successfully.
File/Folder c:\windows\system32\yujetata.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\hedagako.dll
c:\windows\system32\hedagako.dll NOT unregistered.
c:\windows\system32\hedagako.dll moved successfully.
File/Folder c:\windows\system32\dodegomi.dll not found.
DllUnregisterServer procedure not found in c:\windows\system32\tomewope.dll
c:\windows\system32\tomewope.dll NOT unregistered.
c:\windows\system32\tomewope.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\papupona.dll
c:\windows\system32\papupona.dll NOT unregistered.
c:\windows\system32\papupona.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\vozizowu.dll
c:\windows\system32\vozizowu.dll NOT unregistered.
c:\windows\system32\vozizowu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\sojojazu.dll
c:\windows\system32\sojojazu.dll NOT unregistered.
c:\windows\system32\sojojazu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\henemate.dll
c:\windows\system32\henemate.dll NOT unregistered.
c:\windows\system32\henemate.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\talogevi.dll
c:\windows\system32\talogevi.dll NOT unregistered.
c:\windows\system32\talogevi.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\vodewenu.dll
c:\windows\system32\vodewenu.dll NOT unregistered.
c:\windows\system32\vodewenu.dll moved successfully.
DllUnregisterServer procedure not found in c:\windows\system32\pipiwuhi.dll
c:\windows\system32\pipiwuhi.dll NOT unregistered.
c:\windows\system32\pipiwuhi.dll moved successfully.
c:\windows\Sysvxd.exe moved successfully.
File/Folder c:\windows\system32\fuduhapo.dll not found.
File/Folder c:\windows\system32\gagagude.dll not found.
File/Folder c:\windows\system32\guserohu.dll not found.
LoadLibrary failed for c:\windows\system32\wifukolu.dll
c:\windows\system32\wifukolu.dll NOT unregistered.
c:\windows\system32\wifukolu.dll moved successfully.
c:\windows\tmf0zsbtbwl0aa\nAIXtm1nvq5XuE.vbs moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\NATESM~1\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\NATESM~1\LOCALS~1\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\NATESM~1\LOCALS~1\Temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\NATESM~1\LOCALS~1\Temp\etilqs_82n975XBAJJ9lFt4s2cP scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Cookies\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5e4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Nate Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\ejsnjfxg.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nate Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\ejsnjfxg.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nate Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\ejsnjfxg.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nate Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\ejsnjfxg.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nate Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\ejsnjfxg.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nate Smith\Local Settings\Application Data\Mozilla\Firefox\Profiles\ejsnjfxg.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12152008_180109


SDFix Log

SDFix: Version 1.240
Run by Nate Smith on Mon 12/15/2008 at 06:33 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 18:46:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d346prt\Cfg\0Jf40]
"khjeh"=hex:20,02,00,00,25,ee,51,37,a3,b3,62,33,1d,59,6c,ed,4f,f6,25,ee,f5,..
"hj34z0"=hex:eb,9c,83,bc,a2,05,7a,99,58,aa,32,9a,61,c6,4f,a7,37,50,7c,1a,e5,..

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}]
"DisplayName"="DAEMON Tools"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"

Remaining Files :



Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Wed 10 Sep 2008 61,572 A.SH. --- "C:\WINDOWS\system32\bodabogo.dll.tmp"
Mon 15 Dec 2008 67,750 A.SH. --- "C:\WINDOWS\system32\ditetiro.dll"
Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\diwevari.dll.tmp"
Tue 9 Sep 2008 64,566 A.SH. --- "C:\WINDOWS\system32\fupipivo.dll.tmp"
Wed 10 Sep 2008 60,695 A.SH. --- "C:\WINDOWS\system32\guserohu.dll.tmp"
Mon 15 Sep 2008 67,750 A.SH. --- "C:\WINDOWS\system32\hupabubi.dll"
Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\kopupavo.dll.tmp"
Tue 9 Sep 2008 64,517 A.SH. --- "C:\WINDOWS\system32\lavufanu.dll.tmp"
Tue 9 Sep 2008 64,566 A.SH. --- "C:\WINDOWS\system32\lumogowe.dll.tmp"
Mon 15 Dec 2008 88,273 A.SH. --- "C:\WINDOWS\system32\mawivawo.dll"
Mon 15 Dec 2008 3,233 A.SH. --- "C:\WINDOWS\system32\mmf.sys"
Wed 10 Sep 2008 61,572 A.SH. --- "C:\WINDOWS\system32\mulifadu.dll.tmp"
Sun 16 Jan 2005 1,024 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Sun 16 Jan 2005 1,024 A..HR --- "C:\WINDOWS\system32\NTIDBD32.dll"
Sun 16 Jan 2005 1,024 A..HR --- "C:\WINDOWS\system32\ntiembed.dll"
Sun 16 Jan 2005 1,024 A..HR --- "C:\WINDOWS\system32\NTIMPEG2.dll"
Mon 15 Sep 2008 67,750 A.SH. --- "C:\WINDOWS\system32\pisesiro.dll"
Wed 10 Sep 2008 61,572 A.SH. --- "C:\WINDOWS\system32\ridivewu.dll.tmp"
Mon 15 Dec 2008 96,991 A.SH. --- "C:\WINDOWS\system32\sojefiwi.dll"
Mon 15 Sep 2008 67,750 A.SH. --- "C:\WINDOWS\system32\zamateho.dll"
Mon 26 Sep 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 7 Jun 2000 45,056 A..H. --- "C:\Program Files\Microsoft Hardware\Game Voice\WebUpdate.exe"
Sun 7 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 12 Dec 2008 91,431 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\hedagako.dll"
Wed 10 Dec 2008 62,677 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\henemate.dll"
Tue 9 Dec 2008 64,566 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\pipiwuhi.dll"
Wed 10 Dec 2008 91,817 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\sojojazu.dll"
Wed 10 Dec 2008 61,572 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\talogevi.dll"
Wed 10 Dec 2008 89,183 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\vodewenu.dll"
Wed 10 Dec 2008 61,526 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\vozizowu.dll"
Wed 10 Sep 2008 12,288 A.SH. --- "C:\_OTMoveIt\MovedFiles\12152008_180109\windows\system32\wifukolu.dll"

Finished!

Thanks again for your help.

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 16 December 2008 - 10:15 AM

Please copy the text below into OTMoveit3 and click MoveIt just like you did before.

:files
C:\WINDOWS\system32\bodabogo.dll.tmp
C:\WINDOWS\system32\ditetiro.dll
C:\WINDOWS\system32\diwevari.dll.tmp
C:\WINDOWS\system32\fupipivo.dll.tmp
C:\WINDOWS\system32\guserohu.dll.tmp
C:\WINDOWS\system32\hupabubi.dll
C:\WINDOWS\system32\kopupavo.dll.tmp
C:\WINDOWS\system32\lavufanu.dll.tmp
C:\WINDOWS\system32\lumogowe.dll.tmp
C:\WINDOWS\system32\mawivawo.dll
C:\WINDOWS\system32\mulifadu.dll.tmp
C:\WINDOWS\system32\pisesiro.dll
C:\WINDOWS\system32\ridivewu.dll.tmp
C:\WINDOWS\system32\sojefiwi.dll
C:\WINDOWS\system32\zamateho.dll



==================


Next I need you to update Malwarebytes and then run a new scan
  • Open Malwarebytes and select the Update tab.
  • Click on the Check for Updates button and allow the program to download the latest updates.
  • Once you have the latest updates, select the Scanner tab.
  • Select "Perform quick scan" and click the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


================


Now we need to see a new more detailed log.
  • Please download OTViewIt by OldTimer to your desktop.
  • Double click on the OTViewIt.exe icon on your desktop.
  • Check the Scan All Users checkbox and leave Use Whitelist checked. Set the File Age to 30 days.
  • Click on the Run Scan button. Two reports that are located in the same location as OTViewIt will open.OTViewIt.txt <-- Will be opened
    Extra.txt <-- Will be minimized
Copy and Paste the logs into your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 16 December 2008 - 08:34 PM

OTMoveIt Log

========== FILES ==========
C:\WINDOWS\system32\bodabogo.dll.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ditetiro.dll
C:\WINDOWS\system32\ditetiro.dll NOT unregistered.
C:\WINDOWS\system32\ditetiro.dll moved successfully.
C:\WINDOWS\system32\diwevari.dll.tmp moved successfully.
C:\WINDOWS\system32\fupipivo.dll.tmp moved successfully.
C:\WINDOWS\system32\guserohu.dll.tmp moved successfully.
File/Folder C:\WINDOWS\system32\hupabubi.dll not found.
C:\WINDOWS\system32\kopupavo.dll.tmp moved successfully.
C:\WINDOWS\system32\lavufanu.dll.tmp moved successfully.
C:\WINDOWS\system32\lumogowe.dll.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mawivawo.dll
C:\WINDOWS\system32\mawivawo.dll NOT unregistered.
C:\WINDOWS\system32\mawivawo.dll moved successfully.
C:\WINDOWS\system32\mulifadu.dll.tmp moved successfully.
File/Folder C:\WINDOWS\system32\pisesiro.dll not found.
C:\WINDOWS\system32\ridivewu.dll.tmp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\sojefiwi.dll
C:\WINDOWS\system32\sojefiwi.dll NOT unregistered.
C:\WINDOWS\system32\sojefiwi.dll moved successfully.
File/Folder C:\WINDOWS\system32\zamateho.dll not found.

OTMoveIt3 by OldTimer - Version 1.0.7.2 log created on 12162008_190552

Malwarebytes Log (I updated MWB to 12/3/2008 and it wouldn't "finish" the update as it said I needed to be connected to the internet. Of course I am connected but it wouldn't work.)

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/16/2008 7:21:43 PM
mbam-log-2008-12-16 (19-21-43).txt

Scan type: Quick Scan
Objects scanned: 52881
Time elapsed: 5 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fihasine.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yoguyutu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lojaloke.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{29a5996a-db9d-482c-8d95-7d260e574814} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{29a5996a-db9d-482c-8d95-7d260e574814} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{29a5996a-db9d-482c-8d95-7d260e574814} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6f4ca149 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yilowibazi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fihasine.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fihasine.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fihasine.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vosulome.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\emolusov.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yoguyutu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fihasine.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lojaloke.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vubuvuha.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate Smith\Local Settings\Temporary Internet Files\Content.IE5\9J5LS2RS\156[1].net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate Smith\Local Settings\Temporary Internet Files\Content.IE5\Y5UPEL4T\152[1].net (Trojan.Agent) -> Quarantined and deleted successfully.

OTviewit.txt

OTViewIt logfile created on: 12/16/2008 7:29:50 PM - Run
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Nate Smith\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.48 Mb Total Physical Memory | 219.72 Mb Available Physical Memory | 43.64% Memory free
1.20 Gb Paging File | 0.93 Gb Available in Paging File | 77.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.53 Gb Total Space | 2.02 Gb Free Space | 21.19% Space Free | Partition Type: NTFS
Drive D: | 31.48 Gb Total Space | 6.17 Gb Free Space | 19.59% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEINER
Current User Name: Nate Smith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2008/07/10 08:47:18 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program

Files\Bonjour\mDNSResponder.exe
[2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program

Files\Java\jre6\bin\jqs.exe
[2005/01/14 23:40:35 | 00,002,560 | ---- | M] () -- C:\WINDOWS\Runservice.exe
[2007/01/07 17:08:34 | 00,079,324 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program

Files\PostgreSQL\8.2\bin\pg_ctl.exe
[2007/01/07 17:08:02 | 03,585,754 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program

Files\PostgreSQL\8.2\bin\postgres.exe
[2007/01/07 17:08:02 | 03,585,754 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program

Files\PostgreSQL\8.2\bin\postgres.exe
[2007/01/07 17:08:02 | 03,585,754 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program

Files\PostgreSQL\8.2\bin\postgres.exe
[2007/01/07 17:08:02 | 03,585,754 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program

Files\PostgreSQL\8.2\bin\postgres.exe
[2006/04/10 12:00:28 | 00,186,672 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\system32\WgaTray.exe
[2003/10/02 00:37:36 | 00,155,648 | R--- | M] (Intel Corporation) --

C:\WINDOWS\system32\igfxtray.exe
[2003/10/02 00:19:44 | 00,118,784 | R--- | M] (Intel Corporation) --

C:\WINDOWS\system32\hkcmd.exe
[2003/08/15 01:34:50 | 00,057,344 | R--- | M] (Realtek Semiconductor Corp.) --

C:\WINDOWS\SOUNDMAN.EXE
[2004/03/12 22:43:18 | 00,081,920 | ---- | M] (DAEMON'S HOME) -- C:\Program

Files\D-Tools\daemon.exe
[2005/06/21 10:05:54 | 01,851,392 | R--- | M] (Qwest) -- C:\Program

Files\Support.com\bin\tgcmd.exe
[2005/06/06 23:46:24 | 00,057,344 | ---- | M] (Adobe Systems Incorporated) -- C:\Program

Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[2008/07/10 09:51:32 | 00,289,064 | ---- | M] (Apple Inc.) -- C:\Program

Files\iTunes\iTunesHelper.exe
[2008/11/10 05:43:42 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program

Files\Java\jre6\bin\jusched.exe
[2008/09/16 12:16:08 | 01,833,296 | RHS- | M] (Safer Networking Limited) -- C:\Program

Files\Spybot - Search & Destroy\TeaTimer.exe
[2005/09/23 21:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2008/07/10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program

Files\iPod\bin\iPodService.exe
[2008/11/14 12:22:42 | 00,307,712 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla

Firefox\firefox.exe
[2008/12/16 19:28:58 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate

Smith\Desktop\OTViewIt.exe

========== (O23) Win32 Services ==========

[2008/07/10 08:47:18 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common

Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto

| Running])
[2005/09/23 07:28:32 | 00,029,896 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand |

Stopped])
[2008/08/29 09:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program

Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Running])
[2005/09/23 07:28:56 | 00,066,240 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32

[On_Demand | Stopped])
[2005/04/03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand |

Stopped])
[2008/07/10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program

Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
[2008/11/10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program

Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
[2005/01/14 23:40:35 | 00,002,560 | ---- | M] () -- C:\WINDOWS\Runservice.exe -- (LicCtrlService

[Auto | Running])
[2007/01/07 17:08:34 | 00,079,324 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program

Files\PostgreSQL\8.2\bin\pg_ctl.exe -- (pgsql-8.2 [Auto | Running])

========== Driver Services ==========

[2003/08/14 09:16:38 | 00,404,736 | R--- | M] (Sensaura Ltd) --

C:\WINDOWS\system32\drivers\ALCXSENS.SYS -- (ALCXSENS [On_Demand | Running])
[2003/08/21 02:31:52 | 00,462,940 | R--- | M] (Realtek Semiconductor Corp.) --

C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM [On_Demand | Running])
[2004/08/03 23:59:42 | 00,095,360 | ---- | M] () -- C:\WINDOWS\system32\drivers\atapi.sys --

(atapi [Boot | Running])
[2004/08/03 23:29:26 | 00,701,440 | ---- | M] (ATI Technologies Inc.) --

C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2004/03/08 12:55:50 | 00,013,567 | ---- | M] (B.H.A Corporation) --

C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv [System | Running])
[2004/03/12 22:41:28 | 00,156,800 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\d346bus.sys --

(d346bus [Boot | Running])
[2004/03/12 22:41:42 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\d346prt.sys --

(d346prt [Boot | Running])
[2008/01/29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) --

C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2003/10/07 21:11:20 | 00,093,979 | R--- | M] (Intel Corporation) --

C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm [On_Demand | Running])
[2005/01/16 12:19:38 | 00,006,912 | ---- | M] (NewTech Infosystems, Inc.) --

C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
[2001/08/23 06:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) --

C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2004/08/03 23:31:32 | 00,020,992 | ---- | M] (Realtek Semiconductor Corporation) --

C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139 [On_Demand | Running])
[2001/08/23 06:00:00 | 00,027,440 | ---- | M] () -- C:\WINDOWS\system32\drivers\secdrv.sys --

(Secdrv [On_Demand | Stopped])
[2001/08/17 12:56:16 | 00,007,552 | ---- | M] (Sony Corporation) --

C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2008/07/10 08:35:22 | 00,032,000 | ---- | M] (Apple, Inc.) --

C:\WINDOWS\system32\drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])
[2004/08/03 23:08:42 | 00,025,600 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\system32\drivers\usbser.sys -- (usbser [On_Demand | Stopped])
[2003/10/07 21:12:24 | 00,120,830 | R--- | M] (Intel Corporation) --

C:\WINDOWS\system32\drivers\ialmsbw.sys -- ({6080A529-897E-4629-A488-ABA0C29B635E} [On_Demand |

Running])
[2003/10/07 21:12:16 | 00,098,842 | R--- | M] (Intel Corporation) --

C:\WINDOWS\system32\drivers\ialmkchw.sys -- ({D31A0762-0CEB-444e-ACFF-B049A1F6FE91} [On_Demand |

Running])

========== (R ) Internet Explorer ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL"=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
"Default_Search_URL"=http://home.microsoft.com/search/search.asp
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.msn.com

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
"SearchAssistant"=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
"Local Page"=C:\WINDOWS\system32\blank.htm
"Search Page"=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
"Start Page"=http://www.msn.com/

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL]
""=http://home.microsoft.com/access/autosearch.asp?p=%s
"provider"=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" (HKLM) -- C:\WINDOWS\system32\shdocvw.dll (Microsoft

Corporation)
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = 0
"ProxyOverride" = *.local

========== (O1) Hosts File ==========

HOSTS File = (686 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
First 25 entries...
127.0.0.1 localhost

========== (O2) BHO's ==========

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\]
{29a5996a-db9d-482c-8d95-7d260e574814} (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found
{5097B7F7-2260-488C-BDEE-8DDB9BFEC512} (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found
{53707962-6F74-2D53-2644-206D7942484F} (HKLM) -- C:\Program Files\Spybot - Search &

Destroy\SDHelper.dll (Safer Networking Limited)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (HKLM) -- C:\Program Files\Java\jre6\bin\ssv.dll (Sun

Microsystems, Inc.)
{7D1C50CC-18B4-4112-A7AA-7FC12D8EE8F1} (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found
{bc75b898-7148-4604-bd89-c28c5c70c8cb} (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found
{DBC80044-A445-435b-BC74-9C25C1C588A9} (HKLM) -- C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun

Microsystems, Inc.)

========== (O3) Toolbars ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" (HKLM) -- C:\Program Files\AIM Toolbar\AIMBar.dll File

not found
"{AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6}" (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" (HKLM) -- Reg Error: Key does not exist or could not be

opened. File not found

========== (O4) Run Keys ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter

Edition\3.0\Apps\apdproxy.exe" (Adobe Systems Incorporated)
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe (Apple Inc.)
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" -lang 1033 (DAEMON'S HOME)
"HotKeysCmds"=C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
"IgfxTray"=C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
"Malwarebytes Anti-Malware (reboot)"="C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"

/runcleanupscript (Malwarebytes Corporation)
"POEngine"= File not found
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
"SoundMan"=SOUNDMAN.EXE (Realtek Semiconductor Corp.)
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf (Qwest)
"yilowibazi"=Rundll32.exe "C:\WINDOWS\system32\gagagude.dll",s File not found

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking

Limited)
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot

1 (Adobe Systems Incorporated)

========== (O4) Startup Folders ==========

[2005/09/23 21:05:26 | 00,029,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Documents and

Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[2001/02/13 01:01:04 | 00,083,360 | ---- | M] (Microsoft Corporation) -- C:\Documents and

Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE

========== (O6 & O7) Current Version Policies ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=145

========== (O8) IE Context Menu Extensions ==========

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\]
&AIM Search: C:\Program Files\AIM Toolbar\AIMBar.dll File not found
E&xport to Microsoft Excel: C:\Program Files\Microsoft Office\Office10\EXCEL.EXE [2003/12/03

17:04:40 | 09,189,896 | R--- | M] (Microsoft Corporation)

========== (O9) IE Extensions ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}: Menu: Sun Java Console --

%ProgramFiles%\Java\jre6\bin\npjpi160_11.dll [2008/11/10 05:43:31 | 00,132,504 | ---- | M] (Sun

Microsystems, Inc.)
{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}: Button: PartyCasino.com --

%ProgramFiles%\PartyGaming\PartyCasino\RunCasino.exe File not found
{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}: Menu: PartyCasino.com --

%ProgramFiles%\PartyGaming\PartyCasino\RunCasino.exe File not found
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}: Button: PartyPoker.com --

%ProgramFiles%\PartyGaming\PartyPoker\RunApp.exe File not found
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}: Menu: PartyPoker.com --

%ProgramFiles%\PartyGaming\PartyPoker\RunApp.exe File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}: Menu: Spybot - Search && Destroy Configuration --

%ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [2008/09/15 14:25:44 | 01,562,960 | ---- |

M] (Safer Networking Limited)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\]
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> %SystemRoot%\system32\msjava.dll

[Web Browser Applet Control] -> [2003/02/28 17:26:26 | 00,947,472 | ---- | M] (Microsoft

Corporation)
CmdMapping\\{13C1DBF6-7535-495c-91F6-8C13714ED485} [HKLM] -> [Reg Error: Key does not exist or

could not be opened.] -> File not found
CmdMapping\\{725E77D3-B919-4eef-8EEE-D09DE618B6C1} [HKLM] -> [Reg Error: Key does not exist or

could not be opened.] -> File not found
CmdMapping\\{85BFB6E0-96F9-4424-8819-1D67E9F78D33} [HKLM] -> [Reg Error: Key does not exist or

could not be opened.] -> File not found
CmdMapping\\{94148DB5-B42D-4915-95DA-2CBB4F7095BF} [HKLM] -> [Reg Error: Key does not exist or

could not be opened.] -> File not found
CmdMapping\\{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} [HKLM] ->

%ProgramFiles%\PartyGaming\PartyCasino\RunCasino.exe [PartyCasino.com] -> File not found
CmdMapping\\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} [HKLM] ->

%ProgramFiles%\PartyGaming\PartyPoker\RunApp.exe [PartyPoker.com] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search &

Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> [2008/09/15 14:25:44 |

01,562,960 | ---- | M] (Safer Networking Limited)
CmdMapping\\{FB5F1910-F110-11d2-BB9E-00C04F795683} [HKLM] -> [Reg Error: Key does not exist or

could not be opened.] -> File not found

========== (O12) Internet Explorer Plugins ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\]
PluginsPage: "" = http://activex.microsoft.com/controls/find...=%s&mime=%s
PluginsPageFriendlyName: "" = Microsoft ActiveX Gallery

========== (O13) Default Prefixes ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
""=http://

========== (O15) Trusted Sites ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\]
1 domain(s) and sub-domain(s) not assigned to a zone.

========== (O16) DPF ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\]
{33564D57-9980-0010-8000-00AA00389B71}: http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab --

Reg Error: Key does not exist or could not be opened.
{8AD9C840-044E-11D1-B3E9-00805F499D93}:

http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}:

http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab -- Reg Error: Key does not

exist or could not be opened.
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:

http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}:

http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab -- Java Plug-in 1.6.0_11
{D27CDB6E-AE6D-11CF-96B8-444553540000}: http://active.macromedia.com/flash2/cabs/swflash.cab --

Shockwave Flash Object
Microsoft XML Parser for Java: file://C:\WINDOWS\Java\classes\xmldso.cab -- Reg Error: Key does

not exist or could not be opened.

========== (O17) DNS Name Servers ==========

{9686A924-5E8A-432F-90B4-5F67D13070FB} (Servers: | Description: Realtek RTL8139 Family PCI Fast

Ethernet NIC)

========== (O20) AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=qiuict.dll c:\windows\system32\nupanogo.dll

c:\windows\system32\yujetata.dll,c:\windows\system32\sojefiwi.dll

c:\windows\system32\hedagako.dll c:\windows\system32\papupona.dll

c:\windows\system32\sojojazu.dll
>File not found --
>File not found -- c:\windows\system32\sojefiwi.dll

========== (O20) Winlogon Notify Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\]
igfxcui: "DllName" = igfxsrvc.dll -- C:\WINDOWS\system32\igfxsrvc.dll (Intel Corporation)

========== HKLM *SecurityProviders* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
>File not found --

========== Safeboot Options ==========

"AlternateShell"=cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT [PATH=%PATH%;C:\PROGRA~1\COMMON~1\MUVEET~1\030625 | ]
[2007/03/18 10:44:08 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2008/12/16 19:28:57 | 00,423,424 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nate

Smith\Desktop\OTViewIt.exe
[2008/12/15 18:03:53 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Nate Smith\My

Documents\FILES.doc
[2008/12/15 18:01:09 | 00,000,000 | ---D | C] -- C:\_OTMoveIt
[2008/12/15 17:43:42 | 01,529,241 | ---- | C] () -- C:\Documents and Settings\Nate

Smith\Desktop\SDFix.exe
[2008/12/15 17:43:33 | 01,033,216 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Nate

Smith\Desktop\OTMoveIt3.exe
[2008/12/15 17:36:09 | 01,588,727 | -HS- | C] () -- C:\WINDOWS\System32\owaviwam.ini
[2008/12/14 17:57:37 | 00,360,124 | ---- | C] () -- C:\Documents and Settings\Nate

Smith\Desktop\dds.scr
[2008/12/10 21:34:17 | 00,000,000 | ---D | C] -- C:\rsit
[2008/12/10 21:33:04 | 00,305,705 | ---- | C] () -- C:\Documents and Settings\Nate

Smith\Desktop\RSIT.exe
[2008/12/10 21:28:21 | 00,004,332 | ---- | C] () -- C:\Documents and Settings\Nate Smith\My

Documents\Kaspersky Scan.html
[2008/12/09 19:44:49 | 00,000,933 | ---- | C] () -- C:\Documents and Settings\Nate

Smith\Desktop\Spybot - Search & Destroy.lnk
[2008/12/09 19:41:43 | 00,001,734 | ---- | C] () -- C:\Documents and Settings\Nate

Smith\Desktop\HijackThis.lnk
[2008/12/09 19:41:42 | 00,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2008/12/07 18:29:28 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Nate Smith\My

Documents\Pauli's letter.doc
[2008/12/07 11:58:15 | 00,577,024 | ---- | C] (Microsoft Corporation) --

C:\WINDOWS\System32\dllcache\user32.dll
[2008/12/07 11:55:43 | 00,000,000 | ---D | C] -- C:\WINDOWS\ERUNT
[2008/12/07 11:51:14 | 00,000,000 | ---D | C] -- C:\SDFix
[2008/12/06 23:03:43 | 00,000,000 | -HSD | C] -- C:\WINDOWS\TmF0ZSBTbWl0aA
[2008/12/06 22:42:41 | 00,000,304 | ---- | C] () -- C:\WINDOWS\tasks\svpjoumw.job
[2008/12/04 19:49:42 | 00,000,730 | ---- | C] () -- C:\Documents and Settings\All

Users\Desktop\FileASSASSIN.lnk
[2008/12/04 19:49:41 | 00,000,000 | ---D | C] -- C:\Program Files\FileASSASSIN
[2008/12/01 11:48:07 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2008/11/30 22:05:59 | 00,000,347 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/24 08:48:21 | 00,020,992 | ---- | C] () -- C:\Documents and Settings\Nate Smith\My

Documents\Letter.doc
[2008/11/24 08:14:53 | 00,022,528 | ---- | C] () -- C:\Documents and Settings\Nate Smith\My

Documents\Resume[1].doc

========== Files - Modified Within 30 Days ==========

[3 C:\WINDOWS\System32\*.tmp files]
[3 C:\WINDOWS\*.tmp files]
[2008/12/16 19:28:58 | 00,423,424 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate

Smith\Desktop\OTViewIt.exe
[2008/12/16 19:27:06 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/12/16 19:23:44 | 00,003,233 | -HS- | M] () -- C:\WINDOWS\System32\mmf.sys
[2008/12/16 19:23:34 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/12/16 19:23:32 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/12/16 19:22:39 | 00,006,456 | -H-- | M] () -- C:\WINDOWS\System32\hozasego
[2008/12/16 19:22:26 | 05,364,006 | -H-- | M] () -- C:\Documents and Settings\Nate Smith\Local

Settings\Application Data\IconCache.db
[2008/12/16 19:07:40 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Nate Smith\My

Documents\FILES.doc
[2008/12/16 19:03:42 | 00,000,304 | ---- | M] () -- C:\WINDOWS\tasks\svpjoumw.job
[2008/12/15 18:38:27 | 00,000,686 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2008/12/15 18:14:19 | 00,137,256 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/12/15 17:43:49 | 01,529,241 | ---- | M] () -- C:\Documents and Settings\Nate

Smith\Desktop\SDFix.exe
[2008/12/15 17:43:36 | 01,033,216 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Nate

Smith\Desktop\OTMoveIt3.exe
[2008/12/15 17:36:14 | 01,588,727 | -HS- | M] () -- C:\WINDOWS\System32\owaviwam.ini
[2008/12/14 22:20:33 | 00,000,347 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2008/12/14 17:57:44 | 00,360,124 | ---- | M] () -- C:\Documents and Settings\Nate

Smith\Desktop\dds.scr
[2008/12/10 22:38:10 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008/12/10 21:54:36 | 00,138,752 | ---- | M] () -- C:\Documents and Settings\Nate Smith\Local

Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/10 21:28:21 | 00,004,332 | ---- | M] () -- C:\Documents and Settings\Nate Smith\My

Documents\Kaspersky Scan.html
[2008/12/10 19:54:43 | 00,305,705 | ---- | M] () -- C:\Documents and Settings\Nate

Smith\Desktop\RSIT.exe
[2008/12/10 19:07:41 | 00,027,208 | ---- | M] () -- C:\Documents and Settings\Nate Smith\Local

Settings\Application Data\GDIPFONTCACHEV1.DAT
[2008/12/09 19:44:49 | 00,000,933 | ---- | M] () -- C:\Documents and Settings\Nate

Smith\Desktop\Spybot - Search & Destroy.lnk
[2008/12/09 19:41:43 | 00,001,734 | ---- | M] () -- C:\Documents and Settings\Nate

Smith\Desktop\HijackThis.lnk
[2008/12/07 18:29:29 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Nate Smith\My

Documents\Pauli's letter.doc
[2008/12/07 11:58:16 | 00,577,024 | ---- | M] (Microsoft Corporation) --

C:\WINDOWS\System32\dllcache\user32.dll
[2008/12/05 10:31:35 | 00,022,528 | ---- | M] () -- C:\Documents and Settings\Nate Smith\My

Documents\Resume[1].doc
[2008/12/04 19:49:42 | 00,000,730 | ---- | M] () -- C:\Documents and Settings\All

Users\Desktop\FileASSASSIN.lnk
[2008/12/03 19:52:38 | 00,038,496 | ---- | M] (Malwarebytes Corporation) --

C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/12/03 19:52:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) --

C:\WINDOWS\System32\drivers\mbam.sys
[2008/11/24 08:48:21 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\Nate Smith\My

Documents\Letter.doc
< End of report >


Extras.Txt Log

OTViewIt Extras logfile created on: 12/16/2008 7:29:50 PM - Run
OTViewIt by OldTimer - Version 1.0.20.1 Folder = C:\Documents and Settings\Nate Smith\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

503.48 Mb Total Physical Memory | 219.72 Mb Available Physical Memory | 43.64% Memory free
1.20 Gb Paging File | 0.93 Gb Available in Paging File | 77.63% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 9.53 Gb Total Space | 2.02 Gb Free Space | 21.19% Space Free | Partition Type: NTFS
Drive D: | 31.48 Gb Total Space | 6.17 Gb Free Space | 19.59% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEINER
Current User Name: Nate Smith
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify"=0
"FirewallDisableNotify"=0
"UpdatesDisableNotify"=1
"AntiVirusOverride"=0
"FirewallOverride"=0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Stand

ardProfile
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Stan

dardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Stan

dardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Doma

inProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0
File not found -- C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0

(Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\Stan

dardProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0
File not found -- C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0

(Phone)

========== (O10) Winsock2 Catalogs ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\]
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -- C:\Program Files\Bonjour\mdnsNSP.dll

(Apple Inc.)

========== (O18) Protocol Handlers ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\]
[2004/01/29 08:08:23 | 00,868,352 | ---- | M] (Microsoft Corporation) C:\Program Files\Common

Files\Microsoft Shared\Web Folders\PKMCDO.DLL (cdo:{CD00020A-8B95-11D1-82DB-00C04FB1625D} (HKLM)

[Microsoft PKM KnowledgePluggable Class])
ipp: [HKLM - No CLSID value]
[2004/01/29 08:08:23 | 01,130,496 | ---- | M] (Microsoft Corporation) C:\Program Files\Common

Files\System\Ole DB\MSDAIPP.DLL ipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM)

[HKLM - MSDAMON.BINDER]
msdaipp: [HKLM - No CLSID value]
[2004/01/29 08:08:23 | 01,130,496 | ---- | M] (Microsoft Corporation) C:\Program Files\Common

Files\System\Ole DB\MSDAIPP.DLL msdaipp\0x00000001:{E1D2BF42-A96B-11d1-9C6B-0000F875AC61} (HKLM)

[HKLM - MSDAMON.BINDER]
[2004/01/29 08:08:23 | 01,130,496 | ---- | M] (Microsoft Corporation) C:\Program Files\Common

Files\System\Ole DB\MSDAIPP.DLL msdaipp\oledb:{E1D2BF40-A96B-11d1-9C6B-0000F875AC61} (HKLM) [HKLM

- MSDAIPP.BINDER]
[2004/01/21 14:36:14 | 07,334,592 | ---- | M] (Microsoft Corporation) C:\Program Files\Common

Files\Microsoft Shared\Web Components\10\OWC10.DLL

(mso-offdap:{3D9F03FA-7A94-11D3-BE81-0050048385D1} (HKLM) [Data Page Pluggable Protocol

mso-offdap Handler])

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}"=Apple Software Update
"{0456ebd7-5f67-4ab6-852e-63781e3f389c}"=Macromedia Flash Player
"{08CA9554-B5FE-4313-938F-D4A417B81175}"=QuickTime
"{1F701DBD-1660-4108-B10A-FB435EA63BF0}"=PostgreSQL 8.2
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}"=Java™ 6 Update 11
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}"=WebFldrs XP
"{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}"=Apple Mobile Device Support
"{49162FE8-25D2-4E64-BFF7-157514496778}"=SideWinder Game Voice
"{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}"=Adobe® Photoshop® Album Starter Edition 3.0
"{4E68EAA3-775A-4542-A08A-47DB8E8E74A6}"=NTI Backup NOW! 3
"{56CA5D3B-3002-4E7B-90FE-071D8FDF3814}"=
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}"=Sony USB Driver
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}"=Windows Genuine Advantage v1.3.0254.0
"{6D0C6BE4-F674-43D2-96BC-3509345108C9}_is1"=PokerStove version 1.21
"{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}"=Microsoft .NET Framework 2.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}"=Microsoft Silverlight
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}"=Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}"=Intel® Extreme Graphics Driver
"{8FDD2A92-9F75-4706-B8C2-08499A9863E6}"=NTI DriveBackup! 3
"{90280409-6000-11D3-8CFE-0050048383C9}"=Microsoft Office XP Professional with FrontPage
"{AC76BA86-7AD7-1033-7B44-A70900000002}"=Adobe Reader 7.0.9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1"=Spybot - Search & Destroy
"{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}"=NTI CD-Maker
"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}"=iTunes
"Adobe Flash Player ActiveX"=Adobe Flash Player ActiveX
"Adobe Flash Player Plugin"=Adobe Flash Player 10 Plugin
"Adobe Shockwave Player"=Adobe Shockwave Player 11
"Conquest_is1"=Conquest 4.0
"FileASSASSIN"=FileASSASSIN
"HijackThis"=HijackThis 2.0.2
"HyperLoad"=HyperLoad
"InstallShield_{4E68EAA3-775A-4542-A08A-47DB8E8E74A6}"=NTI Backup NOW! 3
"InstallShield_{8FDD2A92-9F75-4706-B8C2-08499A9863E6}"=NTI DriveBackup! 3
"InstallShield_{C438B7C4-B4F8-49C5-A4DF-FF6F1F242778}"=NTI CD-Maker Gold
"LimeWire"=LimeWire 4.14.8
"Malwarebytes' Anti-Malware_is1"=Malwarebytes' Anti-Malware
"Microsoft .NET Framework 2.0"=Microsoft .NET Framework 2.0
"Mozilla Firefox (3.0.4)"=Mozilla Firefox (3.0.4)
"MSCompPackV1"=Microsoft Compression Client Pack 1.0 for Windows XP
"Poker Tracker Version 2.16.00e_is1"=Poker Tracker Version 2.16.00e
"PokerAce Hud"=PokerAce Hud (remove only)
"PokerStars"=PokerStars
"QuickTime32"=QuickTime for Windows (32-bit)
"Qwest"=Qwest QuickCare
"SkyCaddieDesktop"=SkyCaddie Desktop
"Windows Media Format Runtime"=Windows Media Format 11 runtime
"Windows XP Service Pack"=Windows XP Service Pack 2
"WinZip"=WinZip
"WMFDist11"=Windows Media Format 11 runtime
"Wudf01000"=Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/16/2008 8:58:38 PM | Computer Name = STEINER | Source = PostgreSQL | ID = 0
Description = FATAL: could not reattach to shared memory (key=5432001, addr=01A50000):
Invalid argument

Error - 12/16/2008 8:59:38 PM | Computer Name = STEINER | Source = PostgreSQL | ID = 0
Description = FATAL: could not reattach to shared memory (key=5432001, addr=01A50000):
Invalid argument

Error - 12/16/2008 9:00:38 PM | Computer Name = STEINER | Source = PostgreSQL | ID = 0
Description = FATAL: could not reattach to shared memory (key=5432001, addr=01A50000):
Invalid argument

Error - 12/16/2008 9:01:29 PM | Computer Name = STEINER | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3224, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 12/16/2008 9:01:39 PM | Computer Name = STEINER | Source = PostgreSQL | ID = 0
Description = FATAL: could not reattach to shared memory (key=5432001, addr=01A50000):
Invalid argument

Error - 12/16/2008 9:02:39 PM | Computer Name = STEINER | Source = PostgreSQL | ID = 0
Description = FATAL: could not reattach to shared memory (key=5432001, addr=01A50000):
Invalid argument

Error - 12/16/2008 9:03:51 PM | Computer Name = STEINER | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 12/16/2008 9:03:51 PM | Computer Name = STEINER | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 12/16/2008 9:23:44 PM | Computer Name = STEINER | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

Error - 12/16/2008 9:23:44 PM | Computer Name = STEINER | Source = Userenv | ID = 1090
Description = Windows couldn't log the RSoP (Resultant Set of Policies) session
status. An attempt to connect to WMI failed. No more RSoP logging will be done for
this application of policy.

[ System Events ]
Error - 12/7/2008 1:55:00 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/7/2008 1:55:02 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/7/2008 2:01:57 PM | Computer Name = STEINER | Source = Cdrom | ID = 262159
Description = The device, \Device\CdRom2, is not ready for access yet.

Error - 12/10/2008 2:39:52 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/10/2008 2:39:55 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/10/2008 3:13:26 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/15/2008 8:19:18 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 12/15/2008 8:19:22 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 12/15/2008 8:19:28 PM | Computer Name = STEINER | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 12/15/2008 8:42:10 PM | Computer Name = STEINER | Source = Cdrom | ID = 262159
Description = The device, \Device\CdRom2, is not ready for access yet.


< End of report >

Sam,

I'm going out of town for a couple of weeks so if you don't hear back from me I'm not around my computer.

Thanks again for all your help and Merry Christmas.

Nate

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 17 December 2008 - 09:54 AM

Copy the text below into OTMoveIt3

:files
C:\WINDOWS\System32\owaviwam.ini
C:\WINDOWS\tasks\svpjoumw.job

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yilowibazi"=-



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 17 December 2008 - 10:16 AM

It seems to be behaving fine except I get this error message at start up:

Error Loading
c:\windows\system32\gagagude.dll
Didn't Load Correctly (Or Something To That Extent)

Here is the OTMoveIt Log:

:files
C:\WINDOWS\System32\owaviwam.ini
C:\WINDOWS\tasks\svpjoumw.job

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yilowibazi"=-


I restarted and ran Malwarebytes again and got this:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/17/2008 9:15:43 AM
mbam-log-2008-12-17 (09-15-43).txt

Scan type: Quick Scan
Objects scanned: 52599
Time elapsed: 5 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yilowibazi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again for your help. I'll talk to you in a couple of weeks.

Nate.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 18 December 2008 - 09:34 AM

Ok, enjoy your Holiday!

I'll try to keep this open until you return, but if you find it closed and need it reopened just send me a PM.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 30 December 2008 - 10:50 PM

Sam I'm back.

When I restart my computer I still get the:

error loading

c:\windows\system32\gagagude.dll

Does that affect anything?

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 31 December 2008 - 09:27 AM

We can take care of that.

Download Hijackthis from here.
http://www.download.com/Trend-Micro-Hijack...4-10227353.html

Run the program.
Click on Do a system scan and save a logfile.
The log will open up in notepad, please post that log here.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 31 December 2008 - 04:09 PM

Here you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:24 PM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {29a5996a-db9d-482c-8d95-7d260e574814} - (no file)
O2 - BHO: (no name) - {5097B7F7-2260-488C-BDEE-8DDB9BFEC512} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7D1C50CC-18B4-4112-A7AA-7FC12D8EE8F1} - (no file)
O2 - BHO: (no name) - {bc75b898-7148-4604-bd89-c28c5c70c8cb} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\gagagude.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\hupabubi.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\hupabubi.dll",s (User '?')
O4 - HKUS\S-1-5-21-299502267-329068152-839522115-1003\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-299502267-329068152-839522115-1004\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\hupabubi.dll",s (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Nate Smith\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Nate Smith\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe

--
End of file - 6745 bytes

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:52 PM

Posted 31 December 2008 - 04:18 PM

You will need to disable Spybot's Teatimer or it will interfere with Hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {29a5996a-db9d-482c-8d95-7d260e574814} - (no file)
O2 - BHO: (no name) - {5097B7F7-2260-488C-BDEE-8DDB9BFEC512} - (no file)
O2 - BHO: (no name) - {7D1C50CC-18B4-4112-A7AA-7FC12D8EE8F1} - (no file)
O2 - BHO: (no name) - {bc75b898-7148-4604-bd89-c28c5c70c8cb} - (no file)
O4 - HKLM\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\gagagude.dll",s
O4 - HKUS\S-1-5-19\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\hupabubi.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\hupabubi.dll",s (User '?')




Reboot and post a new hijackthis log.
Any errors now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 natesteine21

natesteine21
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:52 PM

Posted 31 December 2008 - 04:59 PM

Here you go: No pop ups on the restart.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:26 PM, on 12/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-21-299502267-329068152-839522115-1003\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-299502267-329068152-839522115-1004\..\Run: [yilowibazi] Rundll32.exe "C:\WINDOWS\system32\hupabubi.dll",s (User '?')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_11.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Nate Smith\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Nate Smith\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe

--
End of file - 5809 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users