Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32.agent Virus


  • This topic is locked This topic is locked
29 replies to this topic

#1 MayGyver

MayGyver

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 29 April 2009 - 03:48 PM

This virus showed up on an anti virus program scan but it couldn't be removed. I get blue screens, randomly get alt tabbed, websites load slowly (sometimes not at all). PLEASE HELP. My computer is pretty much non functional at this point. Help. Here is my Hijack this log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:32:52 PM, on 4/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
F:\Program Files B\Sony Vegas 6\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\Program Files B\Daemon Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files B\Last.fm\LastFMHelper.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\1566301594.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.osu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\kjsdiowq8oikf.dll - {b2ba40a2-74f0-42bd-f434-12345a2c8953} - C:\WINDOWS\system32\kjsdiowq8oikf.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [DAEMON Tools] "F:\Program Files B\Daemon Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files B\Adobe\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files B\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\ALEX~1\LOCALS~1\Temp\1566301594.exe
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\emnkyrlut.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\emnkyrlut.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1176276160.exe (User 'Default user')
O4 - Global Startup: Last.fm Helper.lnk = F:\Program Files B\Last.fm\LastFMHelper.exe
O4 - Global Startup: SmartUI.lnk = C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://F:\Program Files B\Bitcomet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://F:\Program Files B\Bitcomet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://F:\Program Files B\Bitcomet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://F:\Program Files B\Bitcomet\tools\BitCometBHO_1.2.8.7.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: xfire_lsp_9425.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9425.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9425.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9425.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9425.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_9425.dll
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...76/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1140981619697
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,16/mcgdmgr.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\mowahufa.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\kjsdiowq8oikf.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11186 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:07 AM

Posted 30 April 2009 - 12:44 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 30 April 2009 - 02:43 PM

When I downloaded the program and tried to run it I got an error message: "Access violation at address 004045B4 in module 'OTListIt2.exe'. Read of address 00000000.

Also, whenever I reboot my computer I get messages from Spybot about certain changes and whether I want to accept or deny them.

#4 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 30 April 2009 - 02:46 PM

Edit: Duplicate post.

Edited by MayGyver, 30 April 2009 - 02:46 PM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:07 AM

Posted 30 April 2009 - 04:00 PM

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 30 April 2009 - 04:41 PM

ComboFix 09-04-30.02 - Alex May 04/30/2009 17:21.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.675 [GMT -4:00]
Running from: c:\documents and settings\Alex May\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kjsdiowq8oikf.dll
c:\windows\system32\ntos.exe
c:\windows\system32\sohuvigo.exe
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\Temp\1176276160.exe
c:\windows\Temp\1208423664.exe
c:\windows\Temp\1228572688.exe
c:\windows\Temp\1230814702.exe
c:\windows\Temp\127729632.exe
c:\windows\Temp\1310015288.exe
c:\windows\Temp\1344183038.exe
c:\windows\Temp\1363252962.exe
c:\windows\Temp\1432108344.exe
c:\windows\Temp\151585080.exe
c:\windows\Temp\1554201400.exe
c:\windows\Temp\15705608.exe
c:\windows\Temp\1586526986.exe
c:\windows\Temp\1688158518.exe
c:\windows\Temp\1709197622.exe
c:\windows\Temp\1759975292.exe
c:\windows\Temp\1767162792.exe
c:\windows\Temp\1831290678.exe
c:\windows\Temp\1853212966.exe
c:\windows\Temp\2011330740.exe
c:\windows\Temp\2037071994.exe
c:\windows\Temp\2040814570.exe
c:\windows\Temp\2468038508.exe
c:\windows\Temp\2590538552.exe
c:\windows\Temp\2618409080.exe
c:\windows\Temp\2629346580.exe
c:\windows\Temp\268165612.exe
c:\windows\Temp\2712787858.exe
c:\windows\Temp\273834386.exe
c:\windows\Temp\29492024.exe
c:\windows\Temp\2956548598.exe
c:\windows\Temp\2989877136.exe
c:\windows\Temp\3044873556.exe
c:\windows\Temp\306581302.exe
c:\windows\Temp\3130251442.exe
c:\windows\Temp\318002136.exe
c:\windows\Temp\3321181584.exe
c:\windows\Temp\3442784146.exe
c:\windows\Temp\3497166504.exe
c:\windows\Temp\3749611924.exe
c:\windows\Temp\3774306650.exe
c:\windows\Temp\3871061816.exe
c:\windows\Temp\4166588594.exe
c:\windows\Temp\445251376.exe
c:\windows\Temp\550767414.exe
c:\windows\Temp\8768934.exe
c:\windows\Temp\926399640.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 )))))))))))))))))))))))))))))))
.

2009-04-28 19:14 . 2009-04-28 19:14 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Last.fm
2009-04-23 01:29 . 2009-04-23 01:29 -------- d-----w C:\McAfee
2009-04-23 01:29 . 2009-04-23 01:29 -------- d-----w C:\SiteAdvisor
2009-04-23 01:27 . 2009-04-23 01:27 -------- d-----w c:\documents and settings\LocalService\Application Data\ATI
2009-04-23 01:27 . 2009-04-23 01:27 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ATI
2009-04-23 01:27 . 2009-04-23 01:27 -------- d-----w c:\documents and settings\LocalService\Application Data\Sonic
2009-04-21 18:40 . 2009-04-27 02:59 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-04-21 14:42 . 2009-04-21 14:42 -------- d-----w c:\documents and settings\Alex May\Local Settings\Application Data\{B7013AC7-05E4-4EA0-85F1-3B9D6B880123}
2009-04-21 13:58 . 2009-04-21 13:58 -------- d-----w c:\documents and settings\Alex May\Application Data\Malwarebytes
2009-04-21 13:56 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 13:56 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 13:56 . 2009-04-21 13:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 13:56 . 2009-04-21 13:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 04:25 . 2009-04-30 21:26 92156 ----a-w c:\windows\system32\drivers\e1141f2e.sys
2009-04-21 04:25 . 2009-04-21 04:25 213376 ----a-w c:\windows\system32\dllcache\ndis.sys
2009-04-16 06:03 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 06:03 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 06:03 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 06:03 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 06:03 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 06:03 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 06:03 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 06:03 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 06:03 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 06:03 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 06:02 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 21:14 . 2009-04-29 21:13 38 ----a-w C:\37.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\36.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\35.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\33.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\32.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\31.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\27.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\24.tmp
2009-04-29 21:13 . 2009-04-29 21:13 34349 ----a-w C:\22.tmp
2009-04-29 21:13 . 2009-04-29 21:13 0 ----a-w C:\23.tmp
2009-04-29 21:13 . 2009-04-29 21:13 54784 ----a-w C:\21.tmp
2009-04-29 18:45 . 2009-04-29 18:45 38 ----a-w C:\30.tmp
2009-04-29 18:45 . 2009-04-29 18:45 0 ----a-w C:\2F.tmp
2009-04-29 18:45 . 2009-04-29 18:45 0 ----a-w C:\2E.tmp
2009-04-29 18:44 . 2009-04-29 18:44 0 ----a-w C:\2D.tmp
2009-04-29 18:44 . 2009-04-29 18:44 0 ----a-w C:\28.tmp
2009-04-29 18:44 . 2009-04-29 18:44 0 ----a-w C:\26.tmp
2009-04-29 18:44 . 2009-04-29 18:44 0 ----a-w C:\20.tmp
2009-04-29 18:44 . 2009-04-29 18:44 0 ----a-w C:\1B.tmp
2009-04-29 18:44 . 2009-04-29 18:44 0 ----a-w C:\1A.tmp
2009-04-29 18:44 . 2009-04-29 18:44 33849 ----a-w C:\15.tmp
2009-04-29 18:44 . 2009-04-29 18:44 54784 ----a-w C:\F.tmp
2009-04-28 19:14 . 2009-04-28 19:14 38 ----a-w C:\19.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\18.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\17.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\16.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\14.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\E.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\D.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\A.tmp
2009-04-28 19:14 . 2009-04-28 19:14 0 ----a-w C:\9.tmp
2009-04-28 19:14 . 2009-04-28 19:13 34215 ----a-w C:\8.tmp
2009-04-28 19:13 . 2009-04-28 19:13 54784 ----a-w C:\7.tmp
2009-04-23 01:26 . 2009-04-23 01:26 38 ----a-w C:\60.tmp
2009-04-23 01:26 . 2009-04-23 01:26 38 ----a-w C:\4D.tmp
2009-04-23 01:26 . 2009-04-23 01:26 52736 ----a-w C:\4C.tmp
2009-04-23 00:24 . 2009-04-23 00:24 38 ----a-w C:\49.tmp
2009-04-23 00:24 . 2009-04-23 00:24 38 ----a-w C:\40.tmp
2009-04-23 00:24 . 2009-04-23 00:24 52736 ----a-w C:\2B.tmp
2009-04-23 00:24 . 2009-04-23 00:24 21504 ----a-w C:\2.tmp
2009-04-23 00:06 . 2009-04-23 00:05 38 ----a-w C:\3F.tmp
2009-04-23 00:05 . 2009-04-23 00:05 38 ----a-w C:\2C.tmp
2009-04-23 00:05 . 2009-04-23 00:05 52736 ----a-w C:\2A.tmp
2009-04-23 00:05 . 2009-04-23 00:05 21504 ----a-w C:\29.tmp
2009-04-22 23:01 . 2009-04-22 23:01 38 ----a-w C:\25.tmp
2009-04-22 23:01 . 2009-04-22 23:01 38 ----a-w C:\1F.tmp
2009-04-22 23:01 . 2009-04-22 23:01 52736 ----a-w C:\1E.tmp
2009-04-22 23:01 . 2009-04-22 23:01 21504 ----a-w C:\13.tmp
2009-04-22 01:09 . 2009-04-22 01:09 38 ----a-w C:\1D.tmp
2009-04-22 01:09 . 2009-04-22 01:09 38 ----a-w C:\12.tmp
2009-04-22 01:08 . 2009-04-22 01:08 52736 ----a-w C:\11.tmp
2009-04-22 01:08 . 2009-04-22 01:08 21504 ----a-w C:\B.tmp
2009-04-21 20:26 . 2009-04-21 20:26 38 ----a-w C:\10.tmp
2009-04-21 20:26 . 2009-04-21 20:26 38 ----a-w C:\5.tmp
2009-04-21 20:26 . 2009-04-21 20:26 52736 ----a-w C:\4.tmp
2009-04-21 20:26 . 2009-04-21 20:26 21504 ----a-w C:\3.tmp
2009-04-21 19:05 . 2009-04-21 19:05 38 ----a-w C:\3D.tmp
2009-04-21 19:05 . 2009-04-21 19:05 38 ----a-w C:\34.tmp
2009-04-21 19:05 . 2009-04-21 19:05 52736 ----a-w C:\1C.tmp
2009-04-21 19:05 . 2009-04-21 19:05 21504 ----a-w C:\C.tmp
2009-04-21 04:26 . 2009-04-21 04:26 38 ----a-w C:\FF7.tmp
2009-04-21 04:26 . 2009-04-21 04:26 38 ----a-w C:\FF4.tmp
2009-04-21 04:26 . 2009-04-21 04:26 52736 ----a-w C:\FF3.tmp
2009-04-21 04:26 . 2009-04-21 04:26 21504 ----a-w C:\FF2.tmp
2009-04-21 04:25 . 2002-08-29 11:00 213376 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-21 04:24 . 2009-01-21 04:24 354842 --sha-w c:\windows\system32\zuworaju.exe
2009-04-21 04:23 . 2002-08-29 11:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-18 03:21 . 2003-11-27 08:00 -------- d-----w c:\program files\Steam
2009-04-13 19:49 . 2003-11-27 01:19 -------- d-----w c:\program files\AIM
2009-03-29 01:44 . 2009-02-26 02:06 87698 ----a-w c:\windows\War3Unin.dat
2009-03-10 19:26 . 2003-11-26 23:21 49408 ----a-w c:\documents and settings\Andrew May\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:44 . 2002-08-29 11:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-26 02:15 . 2009-02-26 02:06 2829 ----a-w c:\windows\War3Unin.pif
2009-02-26 02:15 . 2009-02-26 02:06 139264 ----a-w c:\windows\War3Unin.exe
2009-02-20 08:30 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-02-06 22:05 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-18 16:01 . 2003-11-27 01:03 49408 ----a-w c:\documents and settings\Alex May\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-18 01:15 . 2003-11-28 22:01 49408 ----a-w c:\documents and settings\Holly May\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 10:20 . 2004-04-23 03:09 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-29 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-29 11:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-29 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 17:24 . 1980-01-01 06:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 06:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\secur32.dll
2009-01-21 04:18 . 2009-01-21 04:18 48640 --sha-w c:\windows\SYSTEM32\bakolife.dll.tmp
2009-01-21 04:18 . 2009-01-21 04:18 48640 --sha-w c:\windows\SYSTEM32\rifaheje.dll.tmp
2009-01-21 04:18 . 2009-01-21 04:18 48640 --sha-w c:\windows\SYSTEM32\tepohohu.dll.tmp
.

------- Sigcheck -------

[7] 2003-03-06 16:30 162432 09B38768036508B51564201AFB000950 c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2009-04-21 04:25 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\SYSTEM32\DLLCACHE\ndis.sys
[-] 2009-04-21 04:25 213376 3D748D850B1C17C357C54BBFD4835F27 c:\windows\SYSTEM32\DRIVERS\ndis.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-23_00.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 21:17 . 2009-04-30 21:17 16384 c:\windows\Temp\Perflib_Perfdata_7f4.dat
+ 2002-08-29 11:00 . 2002-08-29 11:00 19429 c:\windows\SYSTEM32\MsDtc\Trace\MSDTCVTR.BAT
+ 2009-04-29 04:55 . 2009-04-29 23:20 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009042920090430\index.dat
+ 2009-04-28 19:34 . 2009-04-29 00:17 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009042820090429\index.dat
+ 2009-04-28 19:34 . 2009-04-28 19:34 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009042020090427\index.dat
+ 2002-09-03 08:08 . 2009-04-30 21:13 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-09-03 08:08 . 2009-04-23 00:52 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2002-09-03 08:08 . 2009-04-30 21:13 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-04-23 01:32 . 2009-04-23 01:32 8192 c:\windows\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2002-09-03 08:08 . 2009-04-30 21:13 212992 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2007-12-01 05:55 . 2007-11-30 23:37 163328 c:\windows\SDFIX\ERUNT\SDFIX\ERDNT.EXE
+ 2009-04-23 01:32 . 2007-11-30 22:37 163328 c:\windows\SDFIX\ERUNT\SDFIX\ERDNT.EXE
+ 2009-04-23 01:32 . 2009-04-23 01:32 3813376 c:\windows\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-07 1830128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="f:\program files b\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-22 151597]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"DAEMON Tools"="f:\program files b\Daemon Tools\daemon.exe" [2005-12-10 133016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="f:\program files b\Adobe\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-05-16 19968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - f:\program files b\Last.fm\LastFMHelper.exe [2007-7-9 65536]
SmartUI.lnk - c:\program files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2006-9-17 1646592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 04:12 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^Alex May^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=c:\documents and settings\Alex May\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=c:\windows\pss\Cool - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alex May^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\Alex May\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"SiteAdvisor Service"=2 (0x2)
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"f:\\Program Files B\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Steam\\SteamApps\\short12stuff0615@excite.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files B\\World of Warcraft\\BackgroundDownloader.exe"=
"f:\\Program Files B\\mIRC\\mirc.exe"=
"f:\\Program Files B\\Bitcomet\\BitComet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files B\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"f:\\Program Files B\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"f:\\Program Files B\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\short12stuff0615@excite.com\\codename gordon\\cg.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\medieval ii total war demo\\medieval2.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18944:TCP"= 18944:TCP:BitComet 18944 TCP
"18944:UDP"= 18944:UDP:BitComet 18944 UDP
"7000:TCP"= 7000:TCP:Blizzard Downloader: 7000
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"15508:TCP"= 15508:TCP:BitComet 15508 TCP
"15508:UDP"= 15508:UDP:BitComet 15508 UDP

R3 Aloolp2dluis;Aloolp2dluis; [x]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-27 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-27 55024]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 450400]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Madden08.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94e263a6-5514-11dc-84ad-0013467955f6}]
\Shell\AutoRun\command - H:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-04-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:44]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 17:32]

2009-04-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 17:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{b2ba40a2-74f0-42bd-f434-12345a2c8953} - c:\windows\system32\kjsdiowq8oikf.dll
HKU-Default-Run-Windows Resurections - c:\windows\TEMP\hnf84mg1e.exe
HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\1586526986.exe
SharedTaskScheduler-{B2BA40A2-74F0-42BD-F434-12345A2C8953} - c:\windows\system32\kjsdiowq8oikf.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.osu.edu/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &D&ownload &with BitComet - f:\program files b\Bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - f:\program files b\Bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - f:\program files b\Bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: xfire_lsp_9425.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Alex May\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.osu.edu/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\program files b\Adobe\Reader\browser\nppdf32.dll
FF - plugin: f:\program files b\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\program files b\Divx\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 17:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\ntos.exe 339968 bytes executable


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-3678623677-686160755-3649480313-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="A31F863C38FEFE32B4FB823AE50E55B6D25C92F208266F22335A1E89AEA1A1D80EA52174465519BA7665FA82FC5FFE55CB6DDA353B43186039C3A769A7D408923FF38ACD40F7973F59317B2F7E2990C8A5CFE68B0F5B28DDA88860821AA6F78E1888E50413428A2ABDDAABDF29D1756E5F1C0A9C3502820CC37CE5A0C4F56DF33D17B626AF0128F64A949C0A3EB4BB3BC120FB61DE413175142CB6616D198981170768988BF54ABB67C13F7704A117B5D5DB5928C112DE36E1D43839DAD7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407BA7FD869164D67945D575E7D6A3B98083FAC1D03597BA9A036C5B226292D46677D4A754E57CC93F4F3138871D9ED79BBBB382DC24062E828670C3C362AE9610336F03A54422689375FF270E156E5515666401E50F63BB0FA0FE23905AD65E4744ED3386D390ACD405D5CF1E4E6394FD6CBC69162704D4ECD325D0B086F8D2E3C643AB26DE128EFFDC5EA56CABA7CD4BA9A5EEDE803B014C776A4DA6A911E2250B804B2DAC58487D3925324986397C870A4ADDC85EB545985A9F5120B97AB2719302005F2D3F72A1660D72908D8C8135B62EFCD8B49F9F917BB1FE07B691C2AF2D11538A25AACF60FF2577604F29F22D1ED75F1861F3752804007B903542B1AB0CD7B228F11A40D7E2EBDE0AC7181679E06213F33D475C639EDA4541B8866EA94F2815911103190931E0D03D8F7A7D9020EE9700435723D2E22042CF31A32935B37673B31D57AAB77EE5CB80F8B1EF02D0C5A039CEF40A0BE5CC500EE81C3112EB282E731C27E0BC173D6A28C95C52CC92C92B9D798C4DEBE409ED2A31B266231A23E42841D0A5E8121B727C1E6530CEF3CC61AC3A6B9EBF616566B5A27390B776715F3D00EC3DAB81254EE53B04F1731AFBCEE21762DBD22C9C8D593CA2E130B0898E77323A1385D049168990997D68E1ED0C565C400CEF26AE760828E8D05E82AEF4F7B4C6F34D9D8EAC1A0E9DB5800C0F0F1B938699E0AAC361F0CDDB0F1819C521DAC61CC100B96EC722A3322ACF0F6A209FCD4712E02684C69CA0AC66CBA518E0BFD1A2F8EC3E6BA33A926416B40C5FAE33F09F606651957D88DC5D20DEB5A86931B945CF84A180A0249E9672DBFD0A523C6222B2FB4DE96CC562C2B6FE373ACF76352719D589CA61D6389160F386562268DD41539E4FE5F6A5DB77B32E2F60DBCEA38DD4A1B096D8D89711FB3E3F1059540378CB65CDE19968C48C1799EE743A8F80F6556B697D19900F4AEC0710873DA40C6C03EF78C407E01A4D06DBF6A02C989859E18BF27D74FBFCA40DE84602BA22361B3EA8836658F8E73CF3962470DED4A2DF7EEBF389C01F48DA33C34D43860B34A3A5AD0312DFCBB41B98D196BBE"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(672)
c:\windows\system32\xfire_lsp_9425.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

- - - - - - - > 'explorer.exe'(4868)
c:\windows\system32\kjsdiowq8oikf.dll
c:\windows\system32\xfire_lsp_9425.dll
c:\program files\Bonjour\mdnsNSP.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SiteAdvisor\6172\saHook.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
Completion time: 2009-04-30 17:31
ComboFix-quarantined-files.txt 2009-04-30 21:30
ComboFix2.txt 2009-04-23 00:59

Pre-Run: 13,575,184,384 bytes free
Post-Run: 13,576,687,616 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,7,8,9
404 --- E O F --- 2009-04-16 07:07

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:07 AM

Posted 01 May 2009 - 10:46 AM

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please click OTMoveIt3 and then click >> run.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
    C:\*.tmp
    
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If an item cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



===================


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
c:\windows\system32\zuworaju.exe
c:\windows\SYSTEM32\bakolife.dll.tmp
c:\windows\SYSTEM32\rifaheje.dll.tmp
c:\windows\SYSTEM32\tepohohu.dll.tmp
c:\windows\system32\ntos.exe
c:\windows\system32\kjsdiowq8oikf.dll
Prior to running Combofix.exe you should disable your antivirus program.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


=================



Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please post the contents of the log from DrWeb in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 01 May 2009 - 02:04 PM

Here is my OTMoveIt log:


========== FILES ==========
C:\10.tmp moved successfully.
C:\11.tmp moved successfully.
C:\12.tmp moved successfully.
C:\13.tmp moved successfully.
C:\14.tmp moved successfully.
C:\15.tmp moved successfully.
C:\16.tmp moved successfully.
C:\17.tmp moved successfully.
C:\18.tmp moved successfully.
C:\19.tmp moved successfully.
C:\1A.tmp moved successfully.
C:\1B.tmp moved successfully.
C:\1C.tmp moved successfully.
C:\1D.tmp moved successfully.
C:\1E.tmp moved successfully.
C:\1F.tmp moved successfully.
C:\2.tmp moved successfully.
C:\20.tmp moved successfully.
C:\21.tmp moved successfully.
C:\22.tmp moved successfully.
C:\23.tmp moved successfully.
C:\24.tmp moved successfully.
C:\25.tmp moved successfully.
C:\26.tmp moved successfully.
C:\27.tmp moved successfully.
C:\28.tmp moved successfully.
C:\29.tmp moved successfully.
C:\2A.tmp moved successfully.
C:\2B.tmp moved successfully.
C:\2C.tmp moved successfully.
C:\2D.tmp moved successfully.
C:\2E.tmp moved successfully.
C:\2F.tmp moved successfully.
C:\3.tmp moved successfully.
C:\30.tmp moved successfully.
C:\31.tmp moved successfully.
C:\32.tmp moved successfully.
C:\33.tmp moved successfully.
C:\34.tmp moved successfully.
C:\35.tmp moved successfully.
C:\36.tmp moved successfully.
C:\37.tmp moved successfully.
C:\38.tmp moved successfully.
C:\39.tmp moved successfully.
C:\3A.tmp moved successfully.
C:\3B.tmp moved successfully.
C:\3C.tmp moved successfully.
C:\3D.tmp moved successfully.
C:\3E.tmp moved successfully.
C:\3F.tmp moved successfully.
C:\4.tmp moved successfully.
C:\40.tmp moved successfully.
C:\41.tmp moved successfully.
C:\42.tmp moved successfully.
C:\43.tmp moved successfully.
C:\44.tmp moved successfully.
C:\45.tmp moved successfully.
C:\46.tmp moved successfully.
C:\47.tmp moved successfully.
C:\48.tmp moved successfully.
C:\49.tmp moved successfully.
C:\4A.tmp moved successfully.
C:\4B.tmp moved successfully.
C:\4C.tmp moved successfully.
C:\4D.tmp moved successfully.
C:\4E.tmp moved successfully.
C:\4F.tmp moved successfully.
C:\5.tmp moved successfully.
C:\50.tmp moved successfully.
C:\51.tmp moved successfully.
C:\52.tmp moved successfully.
C:\53.tmp moved successfully.
C:\54.tmp moved successfully.
C:\55.tmp moved successfully.
C:\56.tmp moved successfully.
C:\57.tmp moved successfully.
C:\58.tmp moved successfully.
C:\5A.tmp moved successfully.
C:\5B.tmp moved successfully.
C:\5C.tmp moved successfully.
C:\5D.tmp moved successfully.
C:\5E.tmp moved successfully.
C:\5F.tmp moved successfully.
C:\60.tmp moved successfully.
C:\7.tmp moved successfully.
C:\8.tmp moved successfully.
C:\9.tmp moved successfully.
C:\A.tmp moved successfully.
C:\B.tmp moved successfully.
C:\C.tmp moved successfully.
C:\D.tmp moved successfully.
C:\E.tmp moved successfully.
C:\F.tmp moved successfully.
C:\FF2.tmp moved successfully.
C:\FF3.tmp moved successfully.
C:\FF4.tmp moved successfully.
C:\FF7.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\1733194956.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\etilqs_7uPuqZpgLQvhzNUUq0d0 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\~DFCD45.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\P9IK7GIF\results[1].%2CYT0z&q= scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\K3CC1M1O\tracking_id[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\GJ9MW28M\Params[1].com&transactionID=3188061977836839705&city=NULL&st=NULL&bizcat=NULL&refine=NULL scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\2952649904.exe scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_kMxkRFosR18zVdF scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcafee_ziKBmxQnGSOhQAY scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_a980Eefoev9VFPa scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_Ba0mknkUAHCecIP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7cc.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\rkktpw126.exe scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\~DFCAF6.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\~DFE01D.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05012009_142331

Files moved on Reboot...
C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\1733194956.exe moved successfully.
File move failed. C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\etilqs_7uPuqZpgLQvhzNUUq0d0 scheduled to be moved on reboot.
File move failed. C:\DOCUME~1\ALEXMA~1\LOCALS~1\Temp\~DFCD45.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\P9IK7GIF\results[1].%2CYT0z&q= scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\K3CC1M1O\tracking_id[1].htm scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Temporary Internet Files\Content.IE5\GJ9MW28M\Params[1].com&transactionID=3188061977836839705&city=NULL&st=NULL&bizcat=NULL&refine=NULL scheduled to be moved on reboot.
C:\WINDOWS\temp\2952649904.exe moved successfully.
File move failed. C:\WINDOWS\temp\mcafee_kMxkRFosR18zVdF scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\mcafee_ziKBmxQnGSOhQAY scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\mcmsc_a980Eefoev9VFPa scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\mcmsc_Ba0mknkUAHCecIP scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\Perflib_Perfdata_7cc.dat scheduled to be moved on reboot.
C:\WINDOWS\temp\rkktpw126.exe moved successfully.
File move failed. C:\WINDOWS\temp\~DFCAF6.tmp scheduled to be moved on reboot.
File move failed. C:\WINDOWS\temp\~DFE01D.tmp scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_001_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_002_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_003_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\Cache\_CACHE_MAP_ scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\urlclassifier3.sqlite scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\Alex May\Local Settings\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\XUL.mfl scheduled to be moved on reboot.




Here is my ComboFix log:


ComboFix 09-05-01.1 - Alex May 05/01/2009 14:41.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.535 [GMT -4:00]
Running from: c:\documents and settings\Alex May\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alex May\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\SYSTEM32\bakolife.dll.tmp
c:\windows\system32\kjsdiowq8oikf.dll
c:\windows\system32\ntos.exe
c:\windows\SYSTEM32\rifaheje.dll.tmp
c:\windows\SYSTEM32\tepohohu.dll.tmp
c:\windows\system32\zuworaju.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\bakolife.dll.tmp
c:\windows\system32\kjsdiowq8oikf.dll
c:\windows\system32\ntos.exe
c:\windows\SYSTEM32\rifaheje.dll.tmp
c:\windows\SYSTEM32\tepohohu.dll.tmp
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\system32\zuworaju.exe
c:\windows\Temp\1888932608.exe

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it :thumbup2:

.
((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-05-01 18:23 . 2009-05-01 18:23 -------- d-----w C:\_OTMoveIt
2009-04-28 19:14 . 2009-04-28 19:14 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Last.fm
2009-04-23 01:29 . 2009-04-23 01:29 -------- d-----w C:\McAfee
2009-04-23 01:29 . 2009-04-23 01:29 -------- d-----w C:\SiteAdvisor
2009-04-23 01:27 . 2009-04-23 01:27 -------- d-----w c:\documents and settings\LocalService\Application Data\ATI
2009-04-23 01:27 . 2009-04-23 01:27 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\ATI
2009-04-23 01:27 . 2009-04-23 01:27 -------- d-----w c:\documents and settings\LocalService\Application Data\Sonic
2009-04-21 18:40 . 2009-04-27 02:59 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\SiteAdvisor
2009-04-21 14:42 . 2009-04-21 14:42 -------- d-----w c:\documents and settings\Alex May\Local Settings\Application Data\{B7013AC7-05E4-4EA0-85F1-3B9D6B880123}
2009-04-21 13:58 . 2009-04-21 13:58 -------- d-----w c:\documents and settings\Alex May\Application Data\Malwarebytes
2009-04-21 13:56 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-21 13:56 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-21 13:56 . 2009-04-21 13:56 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-21 13:56 . 2009-04-21 13:57 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-21 04:25 . 2009-05-01 18:52 92156 ----a-w c:\windows\system32\drivers\e1141f2e.sys
2009-04-16 06:03 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 06:03 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 06:03 . 2009-02-06 16:54 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-16 06:03 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 06:03 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 06:03 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 06:03 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 06:03 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 06:03 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 06:03 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 06:02 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-01 18:40 . 2002-08-29 11:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-05-01 18:30 . 2003-11-27 01:03 49408 ----a-w c:\documents and settings\Alex May\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-01 18:28 . 2009-05-01 18:28 0 ----a-w C:\C5.tmp
2009-05-01 18:28 . 2009-05-01 18:28 0 ----a-w C:\82.tmp
2009-05-01 18:28 . 2009-05-01 18:28 0 ----a-w C:\55.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\D.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\C.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\B.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\A.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\9.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\8.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\7.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\6.tmp
2009-05-01 18:27 . 2009-05-01 18:27 33997 ----a-w C:\4.tmp
2009-05-01 18:27 . 2009-05-01 18:27 0 ----a-w C:\5.tmp
2009-05-01 18:27 . 2009-05-01 18:27 54784 ----a-w C:\3.tmp
2009-04-21 04:23 . 2002-08-29 11:00 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-18 03:21 . 2003-11-27 08:00 -------- d-----w c:\program files\Steam
2009-04-13 19:49 . 2003-11-27 01:19 -------- d-----w c:\program files\AIM
2009-03-29 01:44 . 2009-02-26 02:06 87698 ----a-w c:\windows\War3Unin.dat
2009-03-10 19:26 . 2003-11-26 23:21 49408 ----a-w c:\documents and settings\Andrew May\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:44 . 2002-08-29 11:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-26 02:15 . 2009-02-26 02:06 2829 ----a-w c:\windows\War3Unin.pif
2009-02-26 02:15 . 2009-02-26 02:06 139264 ----a-w c:\windows\War3Unin.exe
2009-02-20 08:30 . 2004-08-04 07:56 81920 ------w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2004-02-06 22:05 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-18 01:15 . 2003-11-28 22:01 49408 ----a-w c:\documents and settings\Holly May\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-09 10:20 . 2004-04-23 03:09 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-08-29 11:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-08-29 11:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-08-29 11:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-08-29 11:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 23:52 . 2009-02-06 23:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 17:24 . 1980-01-01 06:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2002-08-29 11:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 1980-01-01 06:00 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2002-08-29 11:00 55808 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-23_00.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-01 18:47 . 2009-05-01 18:47 16384 c:\windows\Temp\Perflib_Perfdata_7b8.dat
+ 2002-08-29 11:00 . 2002-08-29 11:00 19429 c:\windows\SYSTEM32\MsDtc\Trace\MSDTCVTR.BAT
+ 2009-05-01 04:49 . 2009-05-01 16:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009050120090502\index.dat
+ 2009-04-30 22:13 . 2009-05-01 03:55 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009043020090501\index.dat
+ 2009-04-29 04:55 . 2009-04-29 23:20 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009042920090430\index.dat
+ 2009-04-28 19:34 . 2009-04-29 00:17 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009042820090429\index.dat
+ 2009-04-28 19:34 . 2009-04-28 19:34 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012009042020090427\index.dat
+ 2002-09-03 08:08 . 2009-05-01 18:40 49152 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2002-09-03 08:08 . 2009-05-01 18:40 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
- 2002-09-03 08:08 . 2009-04-23 00:52 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\INDEX.DAT
+ 2009-04-23 01:32 . 2009-04-23 01:32 8192 c:\windows\SDFIX\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2002-08-29 11:00 . 2004-08-04 06:14 182912 c:\windows\SYSTEM32\DLLCACHE\ndis.sys
+ 2002-09-03 08:08 . 2009-05-01 18:40 212992 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT
- 2007-12-01 05:55 . 2007-11-30 23:37 163328 c:\windows\SDFIX\ERUNT\SDFIX\ERDNT.EXE
+ 2009-04-23 01:32 . 2007-11-30 22:37 163328 c:\windows\SDFIX\ERUNT\SDFIX\ERDNT.EXE
- 2002-09-03 15:05 . 2009-03-12 13:04 1486200 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2002-09-03 15:05 . 2009-05-01 18:27 1486200 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2009-04-23 01:32 . 2009-04-23 01:32 3813376 c:\windows\SDFIX\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-07 1830128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"SpybotSD TeaTimer"="f:\program files b\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-22 151597]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\Scansoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\Scansoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-03-28 622592]
"SetDefPrt"="c:\program files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2006-04-10 61440]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 36904]
"DAEMON Tools"="f:\program files b\Daemon Tools\daemon.exe" [2005-12-10 133016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Adobe Reader Speed Launcher"="f:\program files b\Adobe\Reader\Reader_sl.exe" [2008-06-12 34672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-06-28 270648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-05-16 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Resurections"="c:\windows\TEMP\c2v8weibyp.exe" [BU]
"Diagnostic Manager"="c:\windows\TEMP\1888932608.exe" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Last.fm Helper.lnk - f:\program files b\Last.fm\LastFMHelper.exe [2007-7-9 65536]
SmartUI.lnk - c:\program files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2006-9-17 1646592]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-27 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 04:12 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.sys]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Alex May^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=c:\documents and settings\Alex May\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=c:\windows\pss\Cool - Auto Update.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Alex May^Start Menu^Programs^Startup^TA_Start.lnk]
path=c:\documents and settings\Alex May\Start Menu\Programs\Startup\TA_Start.lnk
backup=c:\windows\pss\TA_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"IDriverT"=3 (0x3)
"DSBrokerService"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"SiteAdvisor Service"=2 (0x2)
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM\\aim.exe"=
"f:\\Program Files B\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Steam\\SteamApps\\short12stuff0615@excite.com\\counter-strike\\hl.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"f:\\Program Files B\\World of Warcraft\\BackgroundDownloader.exe"=
"f:\\Program Files B\\mIRC\\mirc.exe"=
"f:\\Program Files B\\Bitcomet\\BitComet.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"f:\\Program Files B\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=
"f:\\Program Files B\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=
"f:\\Program Files B\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\short12stuff0615@excite.com\\codename gordon\\cg.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\medieval ii total war demo\\medieval2.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18944:TCP"= 18944:TCP:BitComet 18944 TCP
"18944:UDP"= 18944:UDP:BitComet 18944 UDP
"7000:TCP"= 7000:TCP:Blizzard Downloader: 7000
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"15508:TCP"= 15508:TCP:BitComet 15508 TCP
"15508:UDP"= 15508:UDP:BitComet 15508 UDP

R3 Aloolp2dluis;Aloolp2dluis; [x]
R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-27 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-27 55024]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\DRIVERS\A3AB.sys [2005-03-22 450400]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Madden08.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{94e263a6-5514-11dc-84ad-0013467955f6}]
\Shell\AutoRun\command - H:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]

2009-05-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-02 23:44]

2009-04-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 17:32]

2009-05-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-03-03 17:32]
.
- - - - ORPHANS REMOVED - - - -

BHO-{b2ba40a2-74f0-42bd-f434-12345a2c8953} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.osu.edu/
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &D&ownload &with BitComet - f:\program files b\Bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - f:\program files b\Bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - f:\program files b\Bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: xfire_lsp_9425.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Alex May\Application Data\Mozilla\Firefox\Profiles\tlop0npp.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.osu.edu/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPJPI142.dll
FF - plugin: c:\program files\Java\j2re1.4.2\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: f:\program files b\Adobe\Reader\browser\nppdf32.dll
FF - plugin: f:\program files b\Divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\program files b\Divx\DivX Web Player\npdivx32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 14:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-3678623677-686160755-3649480313-1009\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="A31F863C38FEFE32B4FB823AE50E55B6D25C92F208266F22335A1E89AEA1A1D80EA52174465519BA7665FA82FC5FFE55CB6DDA353B43186039C3A769A7D408923FF38ACD40F7973F59317B2F7E2990C8A5CFE68B0F5B28DDA88860821AA6F78E1888E50413428A2ABDDAABDF29D1756E5F1C0A9C3502820CC37CE5A0C4F56DF33D17B626AF0128F64A949C0A3EB4BB3BC120FB61DE413175142CB6616D198981170768988BF54ABB67C13F7704A117B5D5DB5928C112DE36E1D43839DAD7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407BA7FD869164D67945D575E7D6A3B98083FAC1D03597BA9A036C5B226292D46677D4A754E57CC93F4F3138871D9ED79BBBB382DC24062E828670C3C362AE9610336F03A54422689375FF270E156E5515666401E50F63BB0FA0FE23905AD65E4744ED3386D390ACD405D5CF1E4E6394FD6CBC69162704D4ECD325D0B086F8D2E3C643AB26DE128EFFDC5EA56CABA7CD4BA9A5EEDE803B014C776A4DA6A911E2250B804B2DAC58487D3925324986397C870A4ADDC85EB545985A9F5120B97AB2719302005F2D3F72A1660D72908D8C8135B62EFCD8B49F9F917BB1FE07B691C2AF2D11538A25AACF60FF2577604F29F22D1ED75F1861F3752804007B903542B1AB0CD7B228F11A40D7E2EBDE0AC7181679E06213F33D475C639EDA4541B8866EA94F2815911103190931E0D03D8F7A7D9020EE9700435723D2E22042CF31A32935B37673B31D57AAB77EE5CB80F8B1EF02D0C5A039CEF40A0BE5CC500EE81C3112EB282E731C27E0BC173D6A28C95C52CC92C92B9D798C4DEBE409ED2A31B266231A23E42841D0A5E8121B727C1E6530CEF3CC61AC3A6B9EBF616566B5A27390B776715F3D00EC3DAB81254EE53B04F1731AFBCEE21762DBD22C9C8D593CA2E130B0898E77323A1385D049168990997D68E1ED0C565C400CEF26AE760828E8D05E82AEF4F7B4C6F34D9D8EAC1A0E9DB5800C0F0F1B938699E0AAC361F0CDDB0F1819C521DAC61CC100B96EC722A3322ACF0F6A209FCD4712E02684C69CA0AC66CBA518E0BFD1A2F8EC3E6BA33A926416B40C5FAE33F09F606651957D88DC5D20DEB5A86931B945CF84A180A0249E9672DBFD0A523C6222B2FB4DE96CC562C2B6FE373ACF76352719D589CA61D6389160F386562268DD41539E4FE5F6A5DB77B32E2F60DBCEA38DD4A1B096D8D89711FB3E3F1059540378CB65CDE19968C48C1799EE743A8F80F6556B697D19900F4AEC0710873DA40C6C03EF78C407E01A4D06DBF6A02C989859E18BF27D74FBFCA40DE84602BA22361B3EA8836658F8E73CF3962470DED4A2DF7EEBF389C01F48DA33C34D43860B34A3A5AD0312DFCBB41B98D196BBE"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\xfire_lsp_9425.dll

- - - - - - - > 'explorer.exe'(4620)
c:\program files\SiteAdvisor\6172\saHook.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ati2evxx.exe
c:\windows\SYSTEM32\BRSS01A.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\RedirSvc\RedirSvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
f:\program files b\Sony Vegas 6\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
c:\windows\wanmpsvc.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\ati2evxx.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\progra~1\COMMON~1\McAfee\EmProxy\emproxy.exe
c:\program files\Brother\ControlCenter3\BrccMCtl.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\progra~1\McAfee\VIRUSS~1\mcvsshld.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\progra~1\McAfee\MSC\mcuimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-01 15:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 19:00
ComboFix2.txt 2009-04-30 21:31
ComboFix3.txt 2009-04-23 00:59

Pre-Run: 13,530,984,448 bytes free
Post-Run: 13,526,290,432 bytes free

Current=8 Default=8 Failed=7 LastKnownGood=9 Sets=1,2,3,7,8,9
343 --- E O F --- 2009-04-16 07:07



Will add the last one in an edit.

#9 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 01 May 2009 - 02:44 PM

Here is the Dr. Web log:

Updater.exe;F:\Program Files B\Madden 08;Trojan.DownLoader.origin;Deleted.;
mirc.exe;F:\Program Files B\mIRC;Program.mIRC.61;Deleted.;
3.tmp;C:\;Trojan.Proxy.2684;Deleted.;
ComboFix.exe/data002\32788R22FWJFW\FIND3M.bat;C:\Documents and Settings\Alex May\Desktop\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Alex May\Desktop\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Alex May\Desktop;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Alex May\Desktop;Container contains infected objects;Deleted.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Alex May\Desktop\SDFix.exe;Tool.Prockill;;
SDFix.exe\SDFix\apps\HPFix.reg;C:\Documents and Settings\Alex May\Desktop\SDFix.exe;Trojan.StartPage.1505;;
SDFix.exe\SDFix\apps\HPFix2.reg;C:\Documents and Settings\Alex May\Desktop\SDFix.exe;Trojan.StartPage.1505;;
SDFix.exe;C:\Documents and Settings\Alex May\Desktop;Archive contains infected objects;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.56.1;Probably BACKDOOR.Trojan;;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;;
ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Archive contains infected objects;;
RegUBP2b-Alex May.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;;
EarthLink Setup.msi/stream001\uninstll.exe;C:\Program Files\EarthLink Setup\Windows\access\EarthLink Setup.msi/stream001;Probably STPAGE.Trojan;;
stream001;C:\Program Files\EarthLink Setup\Windows\access;Archive contains infected objects;;
EarthLink Setup.msi;C:\Program Files\EarthLink Setup\Windows\access;Archive contains infected objects;;
Steam-down_full.exe\data153;C:\Program Files\New Steam\Steam-down_full.exe;Tool.Prockill;;
Steam-down_full.exe;C:\Program Files\New Steam;Container contains infected objects;;
backup-20081216-014401-658.dll;C:\Program Files\Trend Micro\HijackThis\backups;Program.PopcapLoader;;
pv.exe.vir;C:\Qoobox\Quarantine\C\Program Files\mm.bot\Config\System;Program.PrcView.3741;;
bakolife.dll.tmp.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1665;Deleted.;
ovfsthhlxqsbtdvjdpyldekbtinsgfyaiuarol.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;BackDoor.Tdss.115;;
rifaheje.dll.tmp.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1665;Deleted.;
tepohohu.dll.tmp.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1665;Deleted.;
vetagama.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1662;Deleted.;
weweyeme.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1664;Deleted.;
ndis.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;Trojan.NtRootKit.2670;Deleted.;
ovfsthtlsdufetxttwyttsdputynndiggvwwjk.sys.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers;BackDoor.Tdss.115;Deleted.;
1176276160.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1208423664.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1228572688.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1230814702.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
127729632.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1310015288.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1344183038.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1363252962.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1432108344.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
151585080.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1554201400.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
15705608.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1586526986.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1688158518.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1709197622.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1759975292.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1767162792.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1831290678.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1853212966.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
1888932608.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2011330740.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2037071994.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2040814570.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2468038508.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2590538552.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2629346580.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
268165612.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2712787858.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
273834386.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
29492024.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2956548598.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
2989877136.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3044873556.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
306581302.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3130251442.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
318002136.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3321181584.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3442784146.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3497166504.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3749611924.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3774306650.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
3871061816.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
4166588594.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
445251376.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
550767414.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
8768934.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
926399640.exe.vir;C:\Qoobox\Quarantine\C\WINDOWS\Temp;Probably DLOADER.Trojan;;
HPFix.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
HPFix2.reg;C:\SDFix\apps;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
A0130022.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;BackDoor.Tdss.115;Deleted.;
A0130023.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;BackDoor.Tdss.115;;
A0130052.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Program.PrcView.3741;;
A0130092.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Trojan.Virtumod.1662;Deleted.;
A0130094.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Trojan.Virtumod.1664;Deleted.;
A0130107.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Probably BATCH.Virus;;
A0130110.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Program.PsExec.170;;
A0130248.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Trojan.StartPage.1505;Deleted.;
A0130293.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Probably BATCH.Virus;;
A0130359.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Tool.Prockill;;
A0130389.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Trojan.StartPage.1505;Deleted.;
A0130390.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Trojan.StartPage.1505;Deleted.;
A0131531.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420;Trojan.Proxy.2684;Deleted.;
A0131556.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP421;Trojan.Proxy.2684;Deleted.;
A0132611.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0132611.exe/data002;Probably BATCH.Virus;;
A0132611.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0132611.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422;Archive contains infected objects;;
A0132611.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422;Container contains infected objects;;
A0132613.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0132613.exe/data002;Probably BATCH.Virus;;
A0132613.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422\A0132613.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422;Archive contains infected objects;;
A0132613.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422;Container contains infected objects;;
A0132639.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP422;Probably BATCH.Virus;;
A0132752.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Probably BATCH.Virus;;
A0133744.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Trojan.StartPage.1505;Deleted.;
A0134702.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Trojan.Proxy.2684;Deleted.;
A0134729.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Trojan.Proxy.2684;Deleted.;
A0134772.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Trojan.StartPage.1505;Deleted.;
A0134794.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423\A0134794.exe/data002;Probably BATCH.Virus;;
A0134794.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423\A0134794.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Archive contains infected objects;;
A0134794.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Container contains infected objects;;
A0134817.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423;Probably BATCH.Virus;;
A0134879.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Trojan.NtRootKit.2670;Deleted.;
A0134882.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Trojan.NtRootKit.2670;Deleted.;
A0134900.EXE;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Program.PsExec.170;;
A0134942.bat;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Probably BATCH.Virus;;
A0134978.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Trojan.StartPage.1505;Deleted.;
A0134979.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Trojan.StartPage.1505;Deleted.;
A0134980.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424;Trojan.StartPage.1505;Deleted.;
21.tmp;C:\_OTMoveIt\MovedFiles\05012009_142331;Trojan.Proxy.2684;Deleted.;
39.tmp;C:\_OTMoveIt\MovedFiles\05012009_142331;Trojan.Proxy.2684;Deleted.;
5D.tmp;C:\_OTMoveIt\MovedFiles\05012009_142331;Trojan.Proxy.2684;Deleted.;
7.tmp;C:\_OTMoveIt\MovedFiles\05012009_142331;Trojan.Proxy.2684;Deleted.;
F.tmp;C:\_OTMoveIt\MovedFiles\05012009_142331;Trojan.Proxy.2684;Deleted.;
1733194956.exe;C:\_OTMoveIt\MovedFiles\05012009_142331\DOCUME~1\ALEXMA~1\LOCALS~1\Temp;Probably DLOADER.Trojan;;
2952649904.exe;C:\_OTMoveIt\MovedFiles\05012009_142331\WINDOWS\temp;Probably DLOADER.Trojan;;

Edited by MayGyver, 01 May 2009 - 08:51 PM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:07 AM

Posted 02 May 2009 - 07:44 AM

Run this code through OTMoveIt just like you did before.

:Files
C:\*.tmp

:Commands
[EmptyTemp]




Please visit the online Jotti Virus Scanner
  • Click on Browse button.
  • Navigate to the following file and upload it.


    c:\windows\system32\drivers\ndis.sys


  • Click on the Posted Image button.
    The scanner will check the file with various AV companies.
  • Copy and paste the results box into a reply to this thread.

If Jotti's too busy, try here:
Go here: http://www.virustotal.com/en/virustotalf.html



How is your computer behaving now?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 02 May 2009 - 03:01 PM

A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing



The internet seems to be loading quite a bit faster, but it still seems a little slow. I am no longer getting as many popup messages about changes from SpyBot. However, when my computer reboots, it always goes to that black menu (the one that you could choose safe mode from) and then auto selects to run in the normal mode. I am no longer getting randomly alt tabbed though, which is very nice.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:07 AM

Posted 02 May 2009 - 04:29 PM

Right click on My Computer and select Properties.
Select the Advanced tab
Go down to the Startup and Recovery section and click on the Settings button.
Find "Time to display list of operating systems" and change it to a shorter period of time.
You can set it to 0 and you shouldn't even see that black menu on startup.


The infection you had is very difficult to remove so I'd like have you run one more virus scan just to make sure we have the all clear.

Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 02 May 2009 - 05:06 PM

I got an error when trying to update on the Kaspersky site:

"Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.



You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Invalid file signature]"

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:07 AM

Posted 02 May 2009 - 05:19 PM

Try this one instead.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 MayGyver

MayGyver
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 02 May 2009 - 11:22 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4049 (20090501)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=f857bd574da30340a38ff2005e464837
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-05-03 03:24:26
# local_time=2009-05-02 11:24:26 (-0500, Eastern Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=567825
# found=57
# scan_time=17393
C:\Documents and Settings\Alex May\DoctorWeb\Quarantine\A0130023.dll Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Alex May\DoctorWeb\Quarantine\ovfsthhlxqsbtdvjdpyldekbtinsgfyaiuarol.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\adeeg.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\aprpklcr.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\bbadd.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\dpjhklwa.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fhgbbpbk.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fhhkj.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fhhkj.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\fntmfdwj.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\hjyerakg.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\jybmjpoq.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\kkmcpojf.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\mcfbsqcn.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmllm.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\mmllm.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\nkbxgqls.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\onpitjwe.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\osqnjdef.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthjtrirwbyxjcptxhpemyafiukxaokvfud.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ovfsthmaqpfuwymdiudhdcchbvhevuvxibrplf.dll.vir Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ppqss.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\qjbvnrri.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\rfqtlens.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\sohuvigo.exe.vir Win32/Adware.Virtumonde.NEU application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttstv.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ttstv.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\uyoexrgx.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\vngjqbuk.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130024.dll Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130025.dll Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130074.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130075.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130076.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130077.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130078.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130079.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130081.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130082.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130083.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130084.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130085.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130086.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130087.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130088.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130089.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130090.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130091.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP420\A0130093.ini Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP423\A0132719.exe Win32/Adware.Virtumonde.NEU application (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424\A0134990.EXE Win32/Adware.WBug.A application (deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424\A0134990.EXE »WISE »MiniBugTransporter.dll Win32/Adware.WBug.A application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424\A0134995.exe Win32/TrojanDownloader.Small.CYF trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP424\A0134996.exe Win32/TrojanDownloader.Small.CYF trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP427\A0135105.dll Win32/Olmarik.HJ trojan (unable to clean - deleted) 00000000000000000000000000000000
F:\Program Files B\Fraps\Fraps.v2.6.3.WinALL.Retail-D@S.exe probably a variant of Win32/Ciadoor trojan (deleted) 00000000000000000000000000000000
F:\Program Files B\Fraps\Fraps.v2.6.3.WinALL.Retail-D@S.exe »NSIS »fraps.exe probably a variant of Win32/Ciadoor trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users